CVE-2015-2267
First published: Mon Jun 01 2015(Updated: )
mdeploy.php in Moodle through 2.5.9, 2.6.x before 2.6.9, 2.7.x before 2.7.6, and 2.8.x before 2.8.4 allows remote authenticated users to bypass intended access restrictions and extract archives to arbitrary directories via a crafted dataroot value.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| composer/moodle/moodle | >=2.8.0<2.8.4 | 2.8.4 |
| composer/moodle/moodle | >=2.7.0<2.7.6 | 2.7.6 |
| composer/moodle/moodle | <2.6.9 | 2.6.9 |
| Moodle | <=2.5.9 | |
| Moodle | =2.5.0 | |
| Moodle | =2.5.1 | |
| Moodle | =2.5.2 | |
| Moodle | =2.5.3 | |
| Moodle | =2.5.4 | |
| Moodle | =2.5.5 | |
| Moodle | =2.5.6 | |
| Moodle | =2.5.7 | |
| Moodle | =2.5.8 | |
| Moodle | =2.6.0 | |
| Moodle | =2.6.1 | |
| Moodle | =2.6.2 | |
| Moodle | =2.6.3 | |
| Moodle | =2.6.4 | |
| Moodle | =2.6.5 | |
| Moodle | =2.6.6 | |
| Moodle | =2.6.7 | |
| Moodle | =2.6.8 | |
| Moodle | =2.7.0 | |
| Moodle | =2.7.1 | |
| Moodle | =2.7.2 | |
| Moodle | =2.7.3 | |
| Moodle | =2.7.4 | |
| Moodle | =2.7.5 | |
| Moodle | =2.8.0 | |
| Moodle | =2.8.1 | |
| Moodle | =2.8.2 | |
| Moodle | =2.8.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-49087
- http://openwall.com/lists/oss-security/2015/03/16/1
- https://moodle.org/mod/forum/discuss.php?d=307381
- https://nvd.nist.gov/vuln/detail/CVE-2015-2267
- https://github.com/moodle/moodle/commit/12a8fcb5e45c58ee8267ad0472852c2b80a19878
- https://github.com/moodle/moodle/commit/240e7be7341afa31096fdbf3f242a7966f6237ab
- https://github.com/moodle/moodle/commit/4475f1e478370fb97933127ec60e40f39e285da1
- https://github.com/moodle/moodle/commit/76da7e9bc88669eab62f83f04639ba356a0b0c5a
- https://github.com/moodle/moodle/commit/83866c3c2a5b1391317172eea0b4f017c6d142d2
- https://github.com/moodle/moodle/commit/84f9f60b67e1e20058fbe2afa473607d075aff63
- https://github.com/moodle/moodle/commit/8d9bdd28e049ca6b6b2a4ab8f142097c2f907df6
- https://github.com/moodle/moodle/commit/a47aabc7833d0c88a83791d99a1204742c33f59b
- https://github.com/moodle/moodle/commit/c353a6202658f320096a41e94494063393153b7f
- https://github.com/moodle/moodle/commit/de169b7944e36d374d55e3f396d90ab2b4303afb
- https://github.com/advisories/GHSA-cm4r-58pj-h2ph (Advisory)
Frequently Asked Questions
What is the severity of CVE-2015-2267?
CVE-2015-2267 is classified as a high severity vulnerability allowing unauthorized access to the file system.
How do I fix CVE-2015-2267?
To fix CVE-2015-2267, upgrade to Moodle version 2.6.9, 2.7.6, or 2.8.4 or later.
What are the affected versions by CVE-2015-2267?
Affected versions include Moodle 2.5.0 to 2.5.9, 2.6.x before 2.6.9, 2.7.x before 2.7.6, and 2.8.x before 2.8.4.
Who can exploit CVE-2015-2267?
Remote authenticated users can exploit CVE-2015-2267 to bypass access restrictions.
What type of vulnerability is CVE-2015-2267?
CVE-2015-2267 is a vulnerability that allows the extraction of archives to arbitrary directories.
- agent/type
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-cm4r-58pj-h2ph
- alias/CVE-2015-2267
- agent/software-canonical-lookup
- agent/weakness
- agent/severity
- agent/references
- agent/description
- agent/author
- agent/softwarecombine
- collector/github-advisory
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/trending
- agent/source
- agent/tags
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-index
- package-manager/composer
- vendor/moodle
- canonical/moodle
- version/moodle/2.5.9
- version/moodle/2.5.0
- version/moodle/2.5.1
- version/moodle/2.5.2
- version/moodle/2.5.3
- version/moodle/2.5.4
- version/moodle/2.5.5
- version/moodle/2.5.6
- version/moodle/2.5.7
- version/moodle/2.5.8
- version/moodle/2.6.0
- version/moodle/2.6.1
- version/moodle/2.6.2
- version/moodle/2.6.3
- version/moodle/2.6.4
- version/moodle/2.6.5
- version/moodle/2.6.6
- version/moodle/2.6.7
- version/moodle/2.6.8
- version/moodle/2.7.0
- version/moodle/2.7.1
- version/moodle/2.7.2
- version/moodle/2.7.3
- version/moodle/2.7.4
- version/moodle/2.7.5
- version/moodle/2.8.0
- version/moodle/2.8.1
- version/moodle/2.8.2
- version/moodle/2.8.3