CVE-2022-35650 Overview
CVE-2022-35650 is a directory traversal vulnerability discovered in Moodle, the widely-used open-source learning management system. The vulnerability occurs due to an input validation error when importing lesson questions, where insufficient path checks allow attackers to read arbitrary files from the server filesystem.
This vulnerability enables a remote attacker to perform directory traversal attacks by manipulating file path inputs during the lesson question import process. While the capability to access this feature is limited to teachers, managers, and administrators by default, a compromised or malicious privileged account could exploit this flaw to access sensitive configuration files, database credentials, or other critical system information.
Critical Impact
Authenticated users with teacher-level privileges or higher can read arbitrary files from the Moodle server, potentially exposing sensitive configuration data, credentials, and private user information.
Affected Products
- Moodle (multiple versions)
- Fedora 35
- Fedora 36
Discovery Timeline
- 2022-07-25 - CVE-2022-35650 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-35650
Vulnerability Analysis
The vulnerability resides in Moodle's lesson question import functionality, which fails to properly validate and sanitize file path inputs. When users with appropriate privileges (teachers, managers, or administrators) import lesson questions, the application processes file references without adequately checking for path traversal sequences such as ../ or encoded variants.
This input validation weakness (CWE-20) combined with improper path handling (CWE-22) allows attackers to escape the intended directory structure and access files anywhere on the filesystem that the web server process has read permissions for. The attack requires network access and authenticated privileges, but no user interaction is needed once the attacker has valid credentials.
Root Cause
The root cause of CVE-2022-35650 is insufficient input validation in the lesson question import handler. The application fails to properly sanitize user-supplied file paths, allowing directory traversal sequences to bypass intended access restrictions. This represents both an improper input validation flaw (CWE-20) and a classic path traversal vulnerability (CWE-22).
Attack Vector
The attack vector is network-based, requiring an authenticated session with at least teacher-level privileges. An attacker would craft a malicious lesson question import request containing path traversal sequences designed to access files outside the intended upload directory.
The exploitation involves manipulating the file path parameter during the import process to include directory traversal characters. For example, an attacker might reference a path like ../../../../../../etc/passwd or target Moodle's own config.php file to extract database credentials and other sensitive configuration values.
Due to the authenticated nature of this vulnerability, threat actors would typically need to either compromise existing privileged accounts through phishing or credential theft, or exploit this vulnerability in conjunction with other authentication bypass flaws.
Detection Methods for CVE-2022-35650
Indicators of Compromise
- Unusual file access patterns in web server logs, particularly requests attempting to access files outside the Moodle data directory
- Log entries showing path traversal sequences (../, ..%2f, %2e%2e/) in lesson import-related requests
- Access attempts to sensitive system files such as /etc/passwd, /etc/shadow, or Moodle's config.php
- Anomalous activity from teacher or admin accounts accessing lesson import features repeatedly
Detection Strategies
- Implement web application firewall (WAF) rules to detect and block path traversal patterns in HTTP requests
- Configure intrusion detection systems to alert on suspicious file path patterns in Moodle-related traffic
- Enable verbose logging on the Moodle application and review logs for lesson import activity
- Monitor file access events on the server for reads of sensitive configuration files by the web server process
Monitoring Recommendations
- Enable audit logging for all lesson import activities within Moodle
- Set up alerts for high-frequency lesson import requests from single user accounts
- Monitor web server error logs for "file not found" or "permission denied" errors that may indicate traversal attempts
- Implement file integrity monitoring on critical system and configuration files
How to Mitigate CVE-2022-35650
Immediate Actions Required
- Update Moodle to the latest patched version immediately
- Review audit logs for any suspicious lesson import activity from privileged accounts
- Temporarily restrict lesson import capabilities to only essential administrative accounts
- Audit all teacher, manager, and admin accounts for signs of compromise
Patch Information
Moodle has released security patches addressing this vulnerability. The fix is tracked under the identifier MDL-72029. Administrators should update to the latest supported version of Moodle that includes this patch. Detailed commit information is available through the Moodle Commit Search MDL-72029 and the official security advisory at Moodle Forum Discussion #436457.
Fedora users should apply the security updates distributed through the official package repositories.
Workarounds
- If immediate patching is not possible, consider temporarily disabling the lesson import feature at the application level
- Implement additional path validation at the web server or reverse proxy level to filter traversal sequences
- Restrict file system permissions to limit what files the web server process can read
- Use a web application firewall to block requests containing directory traversal patterns
# Configuration example for Apache mod_security to block path traversal
SecRule ARGS "@contains ../" "id:1001,phase:2,deny,status:403,msg:'Path Traversal Attempt Detected'"
SecRule ARGS "@contains ..%2f" "id:1002,phase:2,deny,status:403,msg:'Encoded Path Traversal Attempt'"
SecRule ARGS "@contains %2e%2e" "id:1003,phase:2,deny,status:403,msg:'Double-encoded Path Traversal Attempt'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
