Bug 1012960 - (CVE-2016-8644) VUL-0: CVE-2016-8644: moodle: Incorrect capability check may have allowed users to view course notes
(CVE-2016-8644)
VUL-0: CVE-2016-8644: moodle: Incorrect capability check may have allowed use...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Lars Vogdt
Security Team bot
https://smash.suse.de/issue/176991/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-12-01 08:39 UTC by Alexander Bergmann
Modified: 2017-02-01 16:27 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Swamp Workflow Management 2016-12-01 23:00:50 UTC
bugbot adjusting priority
Comment 2 Andreas Stieger 2017-02-01 12:56:22 UTC
Public at https://moodle.org/mod/forum/discuss.php?d=343277

MSA-16-0025: Capability to view course notes is checked in the wrong context
Monday, November 21, 2016, 11:49 AM
 
Description: Incorrect capability check may have allowed users to view course notes when they had site-wide permission which was revoked inside a course

Issue summary: Notes has_capability check not called for correct context
Severity/Risk: 	Minor
Versions affected: 	3.1 to 3.1.2, 3.0 to 3.0.6, 2.9 to 2.9.8, 2.8 to 2.8.12, 2.7 to 2.7.16 and earlier unsupported versions

Versions fixed: 	3.1.3, 3.0.7, 2.9.9 and 2.7.17
Reported by: 	Andrew Nicols
Issue no.: 	MDL-51347
CVE identifier: 	CVE-2016-8644
Changes (master): 	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-51347

Already fixed in 
Education/moodle3_1 3.1.4
Education/moodle3_2 3.1.3/3.2.1
Comment 3 Lars Vogdt 2017-02-01 16:27:46 UTC
Our online Moodle 3.2.1 is not affected.

Checked the other moodle packages in Education: only the 3.1 and 3.2 versions are enabled - the rest is build disabled since a long time now and will get removed end of February. 

=> Closing as fixed, thanks for keeping an eye on it.