CVE-2022-30600: Incorrect Calculation in moodle
9.8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.80731%
CWE
Published
5/19/2022
Updated
9/12/2023
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
moodle/moodle | composer | >= 4.0, < 4.0.1 | 4.0.1 |
moodle/moodle | composer | >= 3.9, < 3.9.14 | 3.9.14 |
moodle/moodle | composer | >= 3.10, < 3.10.11 | 3.10.11 |
moodle/moodle | composer | >= 3.11, < 3.11.7 | 3.11.7 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from the absence of a lock mechanism in the login_attempt_failed() function prior to the patch. The commit diff shows the fix introduced a resource lock and user preference cache reload to ensure atomic increments of login_failed_count. Without this lock, concurrent threads could read outdated values of the failed login counter, increment them independently, and fail to trigger the lockout threshold correctly. The function's logic to count/update failed attempts was not thread-safe, making it the clear vulnerable entry point.