Cyber Resilience

CVE-2024-38275

High

Published: 18 June 2024

Published
18 June 2024
Modified
30 April 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0076 73.8th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-38275 is a high-severity Sensitive Information in Resource Not Removed Before Reuse (CWE-226) vulnerability in Moodle Moodle. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 26.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

The cURL wrapper in Moodle retained the original request headers when following redirects, so HTTP authorization header information could be unintentionally sent in requests to redirect URLs.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

moodle
moodle
4.4.0 · ≤ 4.1.11 · 4.2.0 — 4.2.8 · 4.3.0 — 4.3.5

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-226 CWE-459

Directly requires removal of sensitive data from resources before reuse or reallocation to another subject, eliminating residual information transfer.

addresses: CWE-226 CWE-459

Explicit retention limits and destruction rules reduce the persistence of sensitive information in reusable resources.

addresses: CWE-226 CWE-459

Periodic refresh or explicit deletion before reuse prevents sensitive information from remaining in a reusable resource.

addresses: CWE-226 CWE-459

Mandates sanitization of resources before they are released or discarded, preventing residual sensitive information from being recovered.

addresses: CWE-226

The eradication and cross-system identification steps ensure sensitive information is removed before resources are reused or further accessed.

addresses: CWE-226

Requiring sanitization of media prior to removal for off-site maintenance ensures sensitive information is removed before the resource is reused or accessed externally.

addresses: CWE-226

Procedures include sanitization, overwriting, and disposal requirements to remove sensitive data before media reuse or release.

addresses: CWE-226

Requiring sanitization prior to reuse directly ensures sensitive information is removed from resources before they are reused by others.

References