710000 – (CVE-2020-1692) www-apps/moodle: information exposure of service tokens (CVE-2020-1692)

Bug 710000 (CVE-2020-1692) - www-apps/moodle: information exposure of service tokens (CVE-2020-1692)

Summary: www-apps/moodle: information exposure of service tokens (CVE-2020-1692)

Status:	RESOLVED FIXED

Alias:	CVE-2020-1692

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal trivial (vote)
Assignee:	Gentoo Security

URL:	https://cve.mitre.org/cgi-bin/cvename...
Whiteboard:	~4 [noglsa cve]
Keywords:

Depends on:
Blocks:

Reported:	2020-02-17 22:38 UTC by filip ambroz
Modified:	2020-06-20 01:05 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description filip ambroz 2020-02-17 22:38:47 UTC

Moodle before version 3.7.2 is vulnerable to information exposure of service tokens for users enrolled in the same course.

References:
https://nvd.nist.gov/vuln/detail/CVE-2020-1692
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1692

Comment 1 Anthony Basile gentoo-dev

2020-02-19 14:14:06 UTC

(In reply to filip ambroz from comment #0)
> Moodle before version 3.7.2 is vulnerable to information exposure of service
> tokens for users enrolled in the same course.
> 
> References:
> https://nvd.nist.gov/vuln/detail/CVE-2020-1692
> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1692

This was two versions ago for all the moodle branches.  There's nothing for the maintainer to do.

Comment 2 filip ambroz 2020-02-20 23:12:01 UTC

Thank you for the reply. Just to make sure: versions 3.6.8 and 3.5.10 (in tree) are not affected? If so, I can close the bug as invalid..