Use of a Key Past its Expiration Date

CVE-2024-38277

Medium

6.9/10

Summary

Moodle versions prior to 4.1.11, 4.2.x prior to 4.2.8, 4.3.x prior to 4.3.5, and 4.4.x prior to 4.4.1, uses the same key for QR login and auto-login. A unique key should be generated for a user's QR login key and their auto-login key, so the same key cannot be used interchangeably between the two.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: LOW
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: LOW
Confidentiality Impact: LOW
Availability Impact: NONE

CWE-324 - Use of a Key Past its Expiration Date

The product uses a cryptographic key or password past its expiration date, which diminishes its safety significantly by increasing the timing window for cracking attacks against that key.

References

Advisory
Advisory

Advisory Timeline

Published Jun 18, 2024

Use of a Key Past its Expiration Date

CVE-2024-38277

Summary

CWE-324 - Use of a Key Past its Expiration Date

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS