CVE-2012-6087

repository/s3/S3.php in the Amazon S3 library in Moodle through 2.2.11, 2.3.x before 2.3.9, 2.4.x before 2.4.6, and 2.5.x before 2.5.2 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate, related to an incorrect CURLOPT_SSL_VERIFYHOST value.

CVSS v2.0 5.8 MEDIUM

5.8^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:M/Au:N/C:P/I:P/A:N

Exploitability : 8.6 / Impact : 4.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-40615	Patch
http://www.openwall.com/lists/oss-security/2013/01/03/1
https://moodle.org/mod/forum/discuss.php?d=238393	Patch Vendor Advisory
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-40615	Patch
http://www.openwall.com/lists/oss-security/2013/01/03/1
https://moodle.org/mod/forum/discuss.php?d=238393	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:moodle:moodle::::::::
	cpe:2.3:a:moodle:moodle:2.2.0:::::::*
	cpe:2.3:a:moodle:moodle:2.2.1:::::::*
	cpe:2.3:a:moodle:moodle:2.2.2:::::::*
	cpe:2.3:a:moodle:moodle:2.2.3:::::::*
	cpe:2.3:a:moodle:moodle:2.2.4:::::::*
	cpe:2.3:a:moodle:moodle:2.2.5:::::::*
	cpe:2.3:a:moodle:moodle:2.2.6:::::::*
	cpe:2.3:a:moodle:moodle:2.2.7:::::::*
	cpe:2.3:a:moodle:moodle:2.2.8:::::::*
	cpe:2.3:a:moodle:moodle:2.2.9:::::::*
	cpe:2.3:a:moodle:moodle:2.2.10:::::::*
	cpe:2.3:a:moodle:moodle:2.3.0:::::::*
	cpe:2.3:a:moodle:moodle:2.3.1:::::::*
	cpe:2.3:a:moodle:moodle:2.3.2:::::::*
	cpe:2.3:a:moodle:moodle:2.3.3:::::::*
	cpe:2.3:a:moodle:moodle:2.3.4:::::::*
	cpe:2.3:a:moodle:moodle:2.3.5:::::::*
	cpe:2.3:a:moodle:moodle:2.3.6:::::::*
	cpe:2.3:a:moodle:moodle:2.3.7:::::::*
	cpe:2.3:a:moodle:moodle:2.3.8:::::::*
	cpe:2.3:a:moodle:moodle:2.4.0:::::::*
	cpe:2.3:a:moodle:moodle:2.4.1:::::::*
	cpe:2.3:a:moodle:moodle:2.4.2:::::::*
	cpe:2.3:a:moodle:moodle:2.4.3:::::::*
	cpe:2.3:a:moodle:moodle:2.4.4:::::::*
	cpe:2.3:a:moodle:moodle:2.4.5:::::::*
	cpe:2.3:a:moodle:moodle:2.5.0:::::::*
	cpe:2.3:a:moodle:moodle:2.5.1:::::::*

History

21 Nov 2024, 01:45

Type	Values Removed	Values Added
References	~~() http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-40615 - Patch~~	() http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-40615 - Patch
References	~~() http://www.openwall.com/lists/oss-security/2013/01/03/1 -~~	() http://www.openwall.com/lists/oss-security/2013/01/03/1 -
References	~~() https://moodle.org/mod/forum/discuss.php?d=238393 - Patch, Vendor Advisory~~	() https://moodle.org/mod/forum/discuss.php?d=238393 - Patch, Vendor Advisory

Information

Published : 2013-09-16 13:02

Updated : 2025-04-11 00:51

NVD link : CVE-2012-6087

Mitre link : CVE-2012-6087

CVE.ORG link : CVE-2012-6087

JSON object : View

Products Affected

moodle

moodle

CWE

CWE-20

Improper Input Validation

5.8 /10