Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2022-35650

CVE-2022-35650: Moodle Path Traversal Vulnerability

CVE-2022-35650 is a path traversal flaw in Moodle that allows authenticated users to read arbitrary files. This article covers the technical details, affected versions, security impact, and mitigation strategies.

Published:

CVE-2022-35650 Overview

CVE-2022-35650 is a directory traversal vulnerability discovered in Moodle, the widely-used open-source learning management system. The vulnerability occurs due to an input validation error when importing lesson questions, where insufficient path checks allow attackers to read arbitrary files from the server filesystem.

This vulnerability enables a remote attacker to perform directory traversal attacks by manipulating file path inputs during the lesson question import process. While the capability to access this feature is limited to teachers, managers, and administrators by default, a compromised or malicious privileged account could exploit this flaw to access sensitive configuration files, database credentials, or other critical system information.

Critical Impact

Authenticated users with teacher-level privileges or higher can read arbitrary files from the Moodle server, potentially exposing sensitive configuration data, credentials, and private user information.

Affected Products

  • Moodle (multiple versions)
  • Fedora 35
  • Fedora 36

Discovery Timeline

  • 2022-07-25 - CVE-2022-35650 published to NVD
  • 2024-11-21 - Last updated in NVD database

Technical Details for CVE-2022-35650

Vulnerability Analysis

The vulnerability resides in Moodle's lesson question import functionality, which fails to properly validate and sanitize file path inputs. When users with appropriate privileges (teachers, managers, or administrators) import lesson questions, the application processes file references without adequately checking for path traversal sequences such as ../ or encoded variants.

This input validation weakness (CWE-20) combined with improper path handling (CWE-22) allows attackers to escape the intended directory structure and access files anywhere on the filesystem that the web server process has read permissions for. The attack requires network access and authenticated privileges, but no user interaction is needed once the attacker has valid credentials.

Root Cause

The root cause of CVE-2022-35650 is insufficient input validation in the lesson question import handler. The application fails to properly sanitize user-supplied file paths, allowing directory traversal sequences to bypass intended access restrictions. This represents both an improper input validation flaw (CWE-20) and a classic path traversal vulnerability (CWE-22).

Attack Vector

The attack vector is network-based, requiring an authenticated session with at least teacher-level privileges. An attacker would craft a malicious lesson question import request containing path traversal sequences designed to access files outside the intended upload directory.

The exploitation involves manipulating the file path parameter during the import process to include directory traversal characters. For example, an attacker might reference a path like ../../../../../../etc/passwd or target Moodle's own config.php file to extract database credentials and other sensitive configuration values.

Due to the authenticated nature of this vulnerability, threat actors would typically need to either compromise existing privileged accounts through phishing or credential theft, or exploit this vulnerability in conjunction with other authentication bypass flaws.

Detection Methods for CVE-2022-35650

Indicators of Compromise

  • Unusual file access patterns in web server logs, particularly requests attempting to access files outside the Moodle data directory
  • Log entries showing path traversal sequences (../, ..%2f, %2e%2e/) in lesson import-related requests
  • Access attempts to sensitive system files such as /etc/passwd, /etc/shadow, or Moodle's config.php
  • Anomalous activity from teacher or admin accounts accessing lesson import features repeatedly

Detection Strategies

  • Implement web application firewall (WAF) rules to detect and block path traversal patterns in HTTP requests
  • Configure intrusion detection systems to alert on suspicious file path patterns in Moodle-related traffic
  • Enable verbose logging on the Moodle application and review logs for lesson import activity
  • Monitor file access events on the server for reads of sensitive configuration files by the web server process

Monitoring Recommendations

  • Enable audit logging for all lesson import activities within Moodle
  • Set up alerts for high-frequency lesson import requests from single user accounts
  • Monitor web server error logs for "file not found" or "permission denied" errors that may indicate traversal attempts
  • Implement file integrity monitoring on critical system and configuration files

How to Mitigate CVE-2022-35650

Immediate Actions Required

  • Update Moodle to the latest patched version immediately
  • Review audit logs for any suspicious lesson import activity from privileged accounts
  • Temporarily restrict lesson import capabilities to only essential administrative accounts
  • Audit all teacher, manager, and admin accounts for signs of compromise

Patch Information

Moodle has released security patches addressing this vulnerability. The fix is tracked under the identifier MDL-72029. Administrators should update to the latest supported version of Moodle that includes this patch. Detailed commit information is available through the Moodle Commit Search MDL-72029 and the official security advisory at Moodle Forum Discussion #436457.

Fedora users should apply the security updates distributed through the official package repositories.

Workarounds

  • If immediate patching is not possible, consider temporarily disabling the lesson import feature at the application level
  • Implement additional path validation at the web server or reverse proxy level to filter traversal sequences
  • Restrict file system permissions to limit what files the web server process can read
  • Use a web application firewall to block requests containing directory traversal patterns
bash
# Configuration example for Apache mod_security to block path traversal
SecRule ARGS "@contains ../" "id:1001,phase:2,deny,status:403,msg:'Path Traversal Attempt Detected'"
SecRule ARGS "@contains ..%2f" "id:1002,phase:2,deny,status:403,msg:'Encoded Path Traversal Attempt'"
SecRule ARGS "@contains %2e%2e" "id:1003,phase:2,deny,status:403,msg:'Double-encoded Path Traversal Attempt'"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.