CVE-2024-43440 Overview
A path traversal vulnerability exists in Moodle, the open-source learning management system. The flaw allows a local file to be included when restoring block backups, exposing sensitive file contents to an attacker. The issue is tracked under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory).
The vulnerability is exploitable over the network without authentication or user interaction. Successful exploitation results in confidentiality impact on the affected Moodle instance. The issue was disclosed through the Moodle Forum Discussion #461210 and documented in Red Hat Bug Report #2304269.
Critical Impact
Attackers can read arbitrary local files on Moodle servers by abusing the block backup restoration process, leading to disclosure of configuration data, credentials, and other sensitive content.
Affected Products
- Moodle (multiple versions prior to the patched releases)
- Moodle deployments using block backup and restore functionality
- Self-hosted Moodle installations across supported platforms
Discovery Timeline
- 2024-11-07 - CVE-2024-43440 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2024-43440
Vulnerability Analysis
The vulnerability resides in Moodle's block backup restoration logic. When an administrator or privileged user restores a block backup, the restore routine processes paths contained in the backup archive without sufficient validation. A crafted backup file can reference local files outside the intended restore directory.
The flaw is classified as a path traversal weakness. The CVSS vector indicates confidentiality impact only, with no impact to integrity or availability. The EPSS score of 0.638% reflects current exploitation likelihood based on observed activity.
Root Cause
The root cause is improper limitation of pathname references during the block backup restore operation. File paths embedded in backup archives are not normalized or constrained to the expected restore directory. As a result, traversal sequences and absolute paths can resolve to arbitrary files readable by the Moodle process.
Attack Vector
An attacker crafts a malicious block backup archive containing path references pointing to sensitive server-side files. The attacker uploads and restores the archive through the Moodle interface. During restoration, Moodle reads the referenced local files and incorporates their content into the restored block, exposing the data to the attacker.
No authenticated user interaction is required beyond initiating the restore. The attack is performed over the network through standard Moodle web endpoints. Refer to the Red Hat Bug Report #2304269 for additional technical context.
Detection Methods for CVE-2024-43440
Indicators of Compromise
- Unexpected block backup archive uploads or restore operations in Moodle audit logs
- Backup archive contents containing traversal sequences such as ../ or absolute filesystem paths
- Restored blocks containing fragments of system files, configuration data, or credentials
- Outbound transfers of exported block content following a restore operation
Detection Strategies
- Inspect Moodle backup .mbz archives for path entries that escape the expected directory structure
- Correlate backup_block_restore events in Moodle logs with subsequent block view or export actions
- Apply file integrity monitoring to the Moodle moodledata directory to detect anomalous read patterns during restore operations
Monitoring Recommendations
- Enable Moodle's full event logging for backup and restore actions and forward logs to a centralized SIEM
- Alert on backup restore activity performed by accounts without a historical pattern of administrative actions
- Review web server access logs for repeated requests to /backup/restore.php and related endpoints
How to Mitigate CVE-2024-43440
Immediate Actions Required
- Apply the security patches referenced in the Moodle Forum Discussion #461210 advisory to all affected instances
- Restrict the moodle/backup:backupcourse and restore capabilities to a minimal set of trusted administrators
- Audit recent backup restore events and validate the integrity of restored blocks for unexpected content
Patch Information
Moodle has released fixed versions addressing the path traversal flaw in block backup restoration. Administrators should consult the Moodle Forum Discussion #461210 advisory for the specific patched version corresponding to their deployment branch and upgrade promptly.
Workarounds
- Disable the block backup and restore feature until the patch is applied
- Limit upload of backup archives to administrators on trusted networks
- Run Moodle under a dedicated low-privilege system account to reduce the scope of readable files
# Configuration example: restrict backup/restore capability in Moodle
# Site administration > Users > Permissions > Define roles
# Remove the following capabilities from non-admin roles:
# moodle/restore:restoreblock
# moodle/backup:backupactivity
# moodle/backup:backupcourse
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

