Miggo Logo

CVE-2022-30600: Incorrect Calculation in moodle

9.8

CVSS Score
3.1

Basic Information

EPSS Score
0.80731%
Published
5/19/2022
Updated
9/12/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
moodle/moodlecomposer>= 4.0, < 4.0.14.0.1
moodle/moodlecomposer>= 3.9, < 3.9.143.9.14
moodle/moodlecomposer>= 3.10, < 3.10.113.10.11
moodle/moodlecomposer>= 3.11, < 3.11.73.11.7

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the absence of a lock mechanism in the login_attempt_failed() function prior to the patch. The commit diff shows the fix introduced a resource lock and user preference cache reload to ensure atomic increments of login_failed_count. Without this lock, concurrent threads could read outdated values of the failed login counter, increment them independently, and fail to trigger the lockout threshold correctly. The function's logic to count/update failed attempts was not thread-safe, making it the clear vulnerable entry point.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* *l*w w*s *oun* in moo*l* w**r* lo*i* us** to *ount **il** lo*in *tt*mpts *oul* r*sult in t** ***ount lo*kout t*r*s*ol* **in* *yp*ss**.

Reasoning

T** vuln*r**ility st*ms *rom t** **s*n** o* * lo*k m****nism in t** lo*in_*tt*mpt_**il**() *un*tion prior to t** p*t**. T** *ommit *i** s*ows t** *ix intro*u*** * r*sour** lo*k *n* us*r pr***r*n** ***** r*lo** to *nsur* *tomi* in*r*m*nts o* lo*in_**i