Cyber Resilience

CVE-2022-35649

CriticalRCE

Published: 25 July 2022

Published
25 July 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0748 92.0th percentile
Risk Priority 24 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-35649 is a critical-severity Code Injection (CWE-94) vulnerability in Moodle Moodle. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 8.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

The vulnerability CVE-2022-35649 is an improper input validation flaw (CWE-94, CWE-20) in Moodle that occurs when parsing PostScript code. An omitted execution parameter creates a remote code execution risk on sites that use GhostScript versions older than 9.50.

Unauthenticated remote attackers can exploit the issue over the network without user interaction to obtain complete compromise of the affected system, consistent with its CVSS 3.1 score of 9.8.

Public references, including the Moodle git commit search for MDL-75044, Red Hat bugzilla entry 2106273, Fedora package-announce lists, and the Moodle forum discussion thread, point to patches and coordinated updates that remediate the input-handling defect.

The associated EPSS score remains low and essentially flat at approximately 0.075.

EU & UK References

Vulnerability details

The vulnerability was found in Moodle, occurs due to improper input validation when parsing PostScript code. An omitted execution parameter results in a remote code execution risk for sites running GhostScript versions older than 9.50. Successful exploitation of this vulnerability…

more

may result in complete compromise of vulnerable system.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

moodle
moodle
3.9.0 — 3.9.15 · 3.11.0 — 3.11.8 · 4.0.0 — 4.0.2
fedoraproject
fedora
35, 36

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-20 CWE-94

Directly implements checks on information inputs to reject invalid data before processing.

addresses: CWE-20

Security testing and developer training directly verify and enforce proper input validation, reducing exploitability of injection and malformed-data weaknesses.

addresses: CWE-20

Security testing and evaluation at multiple SDLC stages directly detects missing or flawed input validation, with the required remediation process ensuring fixes are applied.

addresses: CWE-94

Makes persistent code injection into loaded programs impossible when the executable image itself resides on hardware-protected read-only media.

addresses: CWE-94

Dynamically generated code can be produced and executed inside the isolated chamber, preventing host compromise from code-injection payloads.

addresses: CWE-94

Directly prevents execution of attacker-supplied code written into data memory regions.

addresses: CWE-20

Spam protection mechanisms perform filtering and detection on inbound/outbound messages, directly compensating for missing or weak input validation of unsolicited content.

References