search

jcrodriguez-dis / moodle-mod_vpl

Virtual Programming Lab for Moodle (Module)
GNU General Public License v3.0
97 stars 84 forks source link

More info about security vulnerability #194

Closed FeldrinH closed 1 week ago

FeldrinH commented 3 weeks ago

I would like to know more about the impact of the security vulnerability fixed in VPL 4.2.4. The release notes are fairly vague and looking up CVE-2024-34312 I find that this CVE number is reserved but unused. Where could I find more info about this security vulnerability?

jcrodriguez-dis commented 3 weeks ago

Dear @FeldrinH,

Thank you for your inquiry regarding the security vulnerability fixed in VPL 4.2.4. While I understand your concern and desire for more detailed information, it is not advisable to share specific details publicly for security reasons.

However, I can assure you that if you update your VPL-Jail-System, there is no immediate need to update your Moodle plugin.

We apologize for any inconvenience this may have caused.

Best regards, Juan Carlos

FeldrinH commented 3 weeks ago

My concern is what if someone has exploited the vulnerability before I updated. Could they have gained access to the host system? Escaped VPL jail? What is the potential damage if someone exploited this before the fix was applied?

jcrodriguez-dis commented 3 weeks ago

Dear FeldrinH,

I share your concern regarding this issue. This is why we recommend installing the VPL-Jail-System on a freshly installed operating system. For enhanced security, you may also consider switching to the Docker version, which operates with no privileges.

Best regards, Juan Carlos

vincentscode commented 2 weeks ago

Dear @FeldrinH, since your initial question the CVEs have been published and you can find more details on the vulnerabilities at CVE-2024-34312 and CVE-2024-34313