CVE-2021-32476 – This vulnerability in Moodle's draft files area... (How to Fix)

Q: What is the severity of CVE-2021-32476?

CVE-2021-32476 has a CVSS score of 7.5 (HIGH). This vulnerability in Moodle's draft files area allows attackers to cause denial-of-service by bypassing user file upload limits. It affects Moodle installations from version 3.5 through 3.10.3, potentially disrupting e-learning platforms by exhausting server resources.

📋 TL;DR

This vulnerability in Moodle's draft files area allows attackers to cause denial-of-service by bypassing user file upload limits. It affects Moodle installations from version 3.5 through 3.10.3, potentially disrupting e-learning platforms by exhausting server resources.

💻 Affected Systems

Products:

Moodle

Versions: 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8, 3.5 to 3.5.17 and earlier unsupported versions

Operating Systems: All platforms running affected Moodle versions

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the draft files functionality which is typically enabled in standard Moodle installations.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability due to resource exhaustion, preventing all users from accessing the Moodle platform.

🟠

Likely Case

Degraded performance or temporary service interruptions affecting user experience and learning activities.

🟢

If Mitigated

Minimal impact with proper monitoring and resource limits in place at the infrastructure level.

🌐 Internet-Facing: HIGH - Moodle instances accessible from the internet are directly exposed to potential DoS attacks.

🏢 Internal Only: MEDIUM - Internal users could still exploit this, but attack surface is smaller than internet-facing deployments.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires user-level access to upload files to draft areas, making authenticated attacks more likely.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Moodle 3.10.4, 3.9.7, 3.8.9, 3.5.18

Vendor Advisory: https://moodle.org/mod/forum/discuss.php?d=422310

Restart Required: No

Instructions:

1. Backup your Moodle installation and database. 2. Download the patched version from moodle.org. 3. Replace affected files with patched versions. 4. Run the upgrade process through the web interface or CLI.

🔧 Temporary Workarounds

Disable draft file uploads

all

Temporarily disable the draft files functionality to prevent exploitation

Edit config.php and add: $CFG->enableportfolios = false;

Implement web application firewall rules

all

Add rate limiting and file upload size restrictions at the WAF level

Configure WAF to limit file upload requests per user session

🧯 If You Can't Patch

Implement strict file upload limits at the web server level (e.g., nginx/apache max body size)
Monitor server resource usage and set up alerts for abnormal file upload patterns

🔍 How to Verify

Check if Vulnerable:

Check Moodle version via Admin panel or by examining version.php file in Moodle root directory

Check Version:

grep "\$release" /path/to/moodle/version.php

Verify Fix Applied:

Verify version is updated to 3.10.4, 3.9.7, 3.8.9, or 3.5.18 and test draft file upload functionality

📡 Detection & Monitoring

Log Indicators:

Unusually large file uploads to draft areas
Multiple failed upload attempts from single users
Resource exhaustion alerts in system logs

Network Indicators:

Spike in POST requests to file upload endpoints
Abnormal traffic patterns to /draftfile.php endpoints

SIEM Query:

source="moodle_logs" AND (event="file_upload" AND size>10000000) OR (event="resource_exhaustion")

📊 Metadata

CVE ID: CVE-2021-32476

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-770

Published: March 11, 2022

Last Updated: November 21, 2024

🔗 References

https://moodle.org/mod/forum/discuss.php?d=422310 Patch,Vendor Advisory
https://moodle.org/mod/forum/discuss.php?d=422310 Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-32476, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Moodle by Moodle

Moodle by Moodle

Moodle by Moodle

Moodle by Moodle

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable draft file uploads

Implement web application firewall rules

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities