Boletines de Vulnerabilidades

MSA-23-0019: Proxy bypass risk due to insufficient validation

Información sobre el sistema
   
Software afectado PHP

Descripción
by Michael Hawkins. Incorrect domain matching logic made it possible to bypass the proxy, which could result in access to hosts intended to be blocked by the proxy.Severity/Risk:SeriousVersions affected:4.2 to 4.2.1, 4.1 to 4.1.4, 4.0 to 4.0.9, 3.11 to 3.11.15, 3.9 to 3.9.22 and earlier unsupported versionsVersions fixed:4.2.2, 4.1.5, 4.0.10, 3.11.16 and 3.9.23Reported by:Brendan HeywoodWorkaround:Add hosts blocked within the proxy to the Moodle cURL blocked hosts configuration if possible,

More info:

https://moodle.org/mod/forum/discuss.php?d=449640&parent=1807042

Identificadores estándar
Propiedad Valor
CVE CVE-2023-40316.

Histórico de versiones
Versión Comentario Fecha
1.0 Advisory issued 2023-08-24

Miembros de

CERT
FIRST
TF-CSIRT
EGC Group
UE
Red Nacional de SOC
Foro Nacional de Ciberseguridad
CSIRT.es
Ministerio de Defensa
CNI
CCN
CCN-CERT