Login Sign Up

CVE-2022-30599

9.8 CRITICAL
SQL Injection

📋 TL;DR

CVE-2022-30599 is a critical SQL injection vulnerability in Moodle's badges functionality that allows attackers to execute arbitrary SQL commands. This affects all Moodle instances with badges enabled, potentially compromising the entire database. Administrators of Moodle-based learning management systems are primarily affected.

💻 Affected Systems

Products:
  • Moodle
Versions: All versions before 3.9.17, 3.10.10, 3.11.7, and 4.0.2
Operating Systems: All operating systems running Moodle
Default Config Vulnerable: ⚠️ Yes
Notes: Requires badges functionality to be enabled (enabled by default in most Moodle installations).

📦 What is this software?

Enterprise Linux by Redhat

View all CVEs affecting Enterprise Linux →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Moodle by Moodle

View all CVEs affecting Moodle →

Moodle by Moodle

View all CVEs affecting Moodle →

Moodle by Moodle

View all CVEs affecting Moodle →

Moodle by Moodle

View all CVEs affecting Moodle →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data manipulation, privilege escalation, and potential remote code execution via database functions.

🟠

Likely Case

Unauthorized access to sensitive user data (grades, personal information), manipulation of course data, and potential administrative account takeover.

🟢

If Mitigated

Limited impact with proper input validation and parameterized queries in place, potentially only error messages or minor data exposure.

🌐 Internet-Facing: HIGH - Moodle instances are typically internet-facing educational platforms with broad attack surfaces.
🏢 Internal Only: MEDIUM - Internal instances still vulnerable but with reduced external attack surface.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

SQL injection vulnerabilities in popular platforms like Moodle are frequently weaponized. Requires some level of user access to badges functionality.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Moodle 3.9.17, 3.10.10, 3.11.7, or 4.0.2

Vendor Advisory: https://moodle.org/mod/forum/discuss.php?d=438013

Restart Required: No

Instructions:

1. Backup your Moodle installation and database. 2. Download the patched version from moodle.org. 3. Replace affected files or perform a full upgrade. 4. Clear Moodle caches. 5. Verify the fix by checking version and testing badges functionality.

🔧 Temporary Workarounds

Disable Badges Functionality

all

Temporarily disable the badges feature to eliminate the attack vector while patching.

Navigate to Site administration > Advanced features > Enable badges (uncheck)

Web Application Firewall Rules

all

Implement WAF rules to block SQL injection patterns targeting badges endpoints.

Add WAF rule: block requests containing SQL keywords to /badges/* endpoints

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate Moodle instances from sensitive databases
  • Enable detailed SQL query logging and monitor for suspicious badge-related database activity

🔍 How to Verify

Check if Vulnerable:

Check Moodle version via Site administration > Notifications page or by examining version.php file. If version is below 3.9.17, 3.10.10, 3.11.7, or 4.0.2, you are vulnerable.

Check Version:

Check version.php file: grep "\$release" version.php

Verify Fix Applied:

Verify Moodle version is 3.9.17, 3.10.10, 3.11.7, or 4.0.2 or higher. Test badges functionality to ensure it works without errors.

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL queries in database logs containing badges-related tables
  • Multiple failed login attempts followed by badges API calls
  • SQL syntax errors in web server logs for badges endpoints

Network Indicators:

  • Unusual traffic patterns to /badges/* endpoints
  • SQL injection payloads in HTTP requests

SIEM Query:

source="moodle_logs" AND ("badges" AND ("SQL" OR "UNION" OR "SELECT" OR "INSERT"))

📊 Metadata

CVE ID: CVE-2022-30599
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: May 18, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-30599, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)