Platform
php
Component
moodle/moodle
Fixed in
4.0.3
3.9.15
CVE-2022-35649 is a critical remote code execution (RCE) vulnerability affecting Moodle Learning Management System versions up to 3.9.9. This vulnerability stems from improper input validation when parsing PostScript code, specifically due to a missing execution parameter. Successful exploitation, often leveraging older GhostScript versions (prior to 9.50), can grant attackers complete control over the vulnerable system.
The impact of CVE-2022-35649 is severe. An attacker exploiting this vulnerability can execute arbitrary code on the Moodle server with the privileges of the web server user. This could lead to complete system compromise, including data exfiltration, modification, and denial of service. The vulnerability's reliance on GhostScript expands the attack surface, as many Moodle installations utilize GhostScript for PDF processing. The ability to execute arbitrary code allows for persistent backdoors, credential theft, and lateral movement within the network. This vulnerability shares similarities with other PostScript parsing vulnerabilities where improper sanitization leads to code execution.
CVE-2022-35649 was publicly disclosed on July 26, 2022. It is considered a high-priority vulnerability due to its CRITICAL CVSS score and the potential for complete system compromise. Public proof-of-concept (PoC) exploits are likely to emerge, increasing the risk of exploitation. The vulnerability has been added to the CISA KEV catalog, indicating a heightened concern for US federal agencies. Active exploitation campaigns are possible, particularly targeting organizations with unpatched Moodle installations.
Exploit Status
EPSS
7.53% (92% percentile)
CVSS Vector
The primary mitigation for CVE-2022-35649 is to upgrade Moodle to version 3.9.15 or later. If upgrading immediately is not feasible, consider temporarily disabling PostScript processing within Moodle, if possible, to reduce the attack surface. Ensure GhostScript is updated to version 9.50 or later to address the underlying vulnerability. Web Application Firewalls (WAFs) configured to inspect PostScript code for malicious patterns could provide an additional layer of defense. After upgrading, verify the fix by attempting to process a known malicious PostScript file within Moodle and confirming that it is handled safely without code execution.
Update Moodle to version 4.0.2, 3.11.8, or 3.9.15, or a later version. This will correct the remote code execution (Remote Code Execution) vulnerability caused by improper input validation when parsing PostScript code.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2022-35649 is a critical remote code execution vulnerability in Moodle versions up to 3.9.9. Improper PostScript code validation allows attackers to execute arbitrary code, potentially compromising the entire system.
If you are running Moodle versions 3.9.9 or earlier, you are affected by this vulnerability. Check your Moodle version and upgrade as soon as possible.
Upgrade Moodle to version 3.9.15 or later to address the vulnerability. Temporarily disable PostScript processing if immediate upgrade is not possible.
While confirmed active exploitation is not yet widespread, the vulnerability's severity and public disclosure make it a likely target for attackers. Proactive patching is crucial.
Refer to the official Moodle security advisory at https://security.moodle.org/mdl-2022-35649 for detailed information and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.