Actions

Copy link

Task #14478

closed

IM RJ

Security Vulnerability Notification

Task #14478: Security Vulnerability Notification

Added by ITG Mailmaster about 2 months ago. Updated about 2 months ago.

Status:

Won't Fix

Priority:

Major

Assignee:

Robert Jandow

Start date:

06.03.2026

Due date:

% Done:

Estimated time:

SecReporter:

Originally created on:

18.07.2024

Originally updated on:

29.07.2024

Original due date:

Description

Hi!

An automated scan by the TUM IT Security team has discovered 14 vulnerabilities in your network (org:ASE).

If you have questions about the procedure or your scan results, please contact

it-sicherheit@tum.de

Please fix the reported issues as soon as you can.

Regards

ITO Systems Group

Report text of Greenbone Security Assistant:

############################################################

host: vmbhatotia165.in.tum.de, ip: 131.159.89.189, - port: -¶

5.0 - Missing 'HttpOnly' Cookie Attribute (HTTP)
2024-07-15T21:17:13Z - b9204534-7c7f-4786-94ce-df68891e889f - 1.3.6.1.4.1.25623.1.0.105925
impact:
summary: The remote HTTP web server / application is missing to set the
'HttpOnly' cookie attribute for one or more sent HTTP cookie.
problem: The cookie(s):

Set-Cookie: XSRF-TOKEN=eyJpdiI6Inh3Q1Q5Y3o2ZnQ5OUZGZ1pwVWU0Rnc9PSIsInZhbHVlIjoiWFM4M3BxaXA4Z0V1RzdoVUpJbWlwTlEwTjQyVHRFb1NVYXAyT1Fzc3NMMzBueVY4N2Ewd3k3OFJrZkNwMEV6T0Ywcm1YT0d4WEZ1Z1owWkhwLy9hbXhhYjhSOTJCNXB2cUpLUWZ4R0VCcDFwREpORkdsZVN4eExKVjgvS0FuYjMiLCJtYWMiOiIxZWJhMzYwMzJkNjA2NmMxZjJjMmM2ZTVkNzZhYzVkY2NkYTFlYTcxOWNjMjliNzhkMWExZmYxZmYxM2FhYTZhIiwidGFnIjoiIn0%3D; expires=Wed, 24 Jul 2024 04:35:03 GMT; Max-Age=replaced; path=/; secure

is/are missing the "HttpOnly" cookie attribute.

solution (Mitigation):

Set the 'HttpOnly' cookie attribute for any session cookie
- Evaluate / do an own assessment of the security impact on the web server / application and create
  an override for this result if there is none (this can't be checked automatically by this VT)

############################################################

host: vmbhatotia165.cs.tum.edu, ip: 131.159.89.189, - port: -¶

5.0 - Missing 'HttpOnly' Cookie Attribute (HTTP)
2024-07-15T21:17:13Z - 9d8c71b9-fa26-4f28-9a6d-ba5f0a84db81 - 1.3.6.1.4.1.25623.1.0.105925
impact:
summary: The remote HTTP web server / application is missing to set the
'HttpOnly' cookie attribute for one or more sent HTTP cookie.
problem: The cookie(s):

Set-Cookie: XSRF-TOKEN=eyJpdiI6Ik15Tk1NSk40dFB4S095elBOVVlKY2c9PSIsInZhbHVlIjoiQ3JHWENoR0hCUm9OZUZxc0xLUWYrYURNd2NrYWZCZytWTnladGxvU0xpN2xlNWNmU2c3NW9iY3lxOGl6ekJjRHlTbEx0eGpKZm9sSXFtdk90V3lqeUU3dlorei82dXVVc3o3TFYvdzVDdzlYTTNxUm9kd1pEazBNRmdQcTh0RnYiLCJtYWMiOiI0MDExNzExZjcyOWZiNDRkNWQ5NWUwNTJkNDgwMjQ0ODdiNDFmZjFjYTUyZGYyOGJhOWU4YmFiNzc5MjE4NmIzIiwidGFnIjoiIn0%3D; expires=Wed, 24 Jul 2024 04:35:04 GMT; Max-Age=replaced; path=/; secure

is/are missing the "HttpOnly" cookie attribute.

solution (Mitigation):

Set the 'HttpOnly' cookie attribute for any session cookie
- Evaluate / do an own assessment of the security impact on the web server / application and create
  an override for this result if there is none (this can't be checked automatically by this VT)

############################################################

host: inventory.ase.cit.tum.de, ip: 131.159.89.189, - port: -¶

5.0 - Missing 'HttpOnly' Cookie Attribute (HTTP)
2024-07-15T21:17:13Z - ca4eeebb-e5fb-46f2-a096-241c2eb67158 - 1.3.6.1.4.1.25623.1.0.105925
impact:
summary: The remote HTTP web server / application is missing to set the
'HttpOnly' cookie attribute for one or more sent HTTP cookie.
problem: The cookie(s):

Set-Cookie: XSRF-TOKEN=eyJpdiI6IjA5T2haTDZvcDdZeWY1T0N4Zy9ad2c9PSIsInZhbHVlIjoiVUovcWx6NWQveUh4dEw3WEdlKzJJS2VKeGZvQmd1cjVpNkt2OFhJVHlKT29YRTMvMStkS25QdkdyK243blk0eHRKdlJhd3cxT3JOQUNyTWFOV2Z5RVp2SHJ6djhuTE5ZaTYvajh5UlpuRHVQKzNvL2Q0Z1k5ZUJOWmhoRysrcmoiLCJtYWMiOiI1NDM1MWRhOTI3YWRkNzQyYmYzZWYzYmMwZDhlMmRmMGVmNzg0YjAyNDliOGI3NjFiMDM3ZTJmMGRmMWQyYThhIiwidGFnIjoiIn0%3D; expires=Wed, 24 Jul 2024 04:35:04 GMT; Max-Age=replaced; path=/; secure

is/are missing the "HttpOnly" cookie attribute.

solution (Mitigation):

Set the 'HttpOnly' cookie attribute for any session cookie
- Evaluate / do an own assessment of the security impact on the web server / application and create
  an override for this result if there is none (this can't be checked automatically by this VT)

############################################################

host: vmbhatotia124.in.tum.de, ip: 131.159.89.183, - port: -¶

5.0 - Source Control Management (SCM) Files/Folders Accessible (HTTP)
2024-07-15T21:26:09Z - 8d05d421-8aee-4633-951a-643a991de2ae - 1.3.6.1.4.1.25623.1.0.111084
impact: Based on the information provided in these files/folders an
attacker might be able to gather additional info about the structure of the system and its
applications.
summary: The script attempts to identify files/folders of a SCM
accessible at the webserver.
problem: The following SCM files/folders were identified:

Match: 0000000000000000000000000000000000000000 1f6ab2b67640ce4f5038c100fbd626f9b4954f7a root root@vmbhatotia124.in.tum.de 1656435832 +0200 clone: from git://git.moodle.org/moodle.git
1f6ab2b67640ce4f5038c100fbd626f9b4954f7a cda2e481342ba0644f665ff8e91342abb009192a root root@vmbhatotia124.in.tum.de 1668180765 +0100 checkout: moving from MOODLE_311_STABLE to MOODLE_400_STABLE
cda2e481342ba0644f665ff8e91342abb009192a a2b88160d77b122fdd945bb9ed5d82a850a3adb6 root root@vmbhatotia124.in.tum.de 1675437321 +0100 pull: Fast-forward
a2b88160d77b122fdd945bb9ed5d82a850a3adb6 cb6dc699b8ed9d29dcd9cd400fb96647a471e87a root root@vmbhatotia124.in.tum.de 1675437385 +0100 checkout: moving from MOODLE_400_STABLE to origin/MOODLE_401_STABLE
cb6dc699b8ed9d29dcd9cd400fb96647a471e87a 9557a525696b2e7eeef49a95d3eacb7be374a71a root root@vmbhatotia124.in.tum.de 1720609520 +0200 checkout: moving from cb6dc699b8ed9d29dcd9cd400fb96647a471e87a to MOODLE_404_STABLE
9557a525696b2e7eeef49a95d3eacb7be374a71a 033858e2491fd79c54e511f3177eca2990877ee6 root root@vmbhatotia124.in.tum.de 1720610070 +0200 checkout: moving from MOODLE_404_STABLE to v4.1.2
033858e2491fd79c54e511f3177eca2990877ee6 7dcfaa79f78e100fcb0b52f4e99d13f354ca0f23 root root@vmbhatotia124.in.tum.de 1720610124 +0200 checkout: moving from 033858e2491fd79c54e511f3177eca2990877ee6 to v4.3.5
Used regex: ^[a-f0-9]{40} [a-f0-9]{40}
URL: https://vmbhatotia124.in.tum.de/.git/logs/HEAD

Match: [core]
[remote "origin"]
[branch "MOODLE_311_STABLE"]
[branch "MOODLE_400_STABLE"]
[branch "MOODLE_404_STABLE"]
Used regex: ^[(core|receive|(remote|branch) .+)]$
URL: https://vmbhatotia124.in.tum.de/.git/config

Match: # git ls-files --others --exclude-from=.git/info/exclude
Used regex: ^# git ls-files
URL: https://vmbhatotia124.in.tum.de/.git/info/exclude

Match: DIRC
Used regex: ^DIRC
URL: https://vmbhatotia124.in.tum.de/.git/index

Match: Unnamed repository; edit this file 'description' to name the repository.
Used regex: ^Unnamed repository
URL: https://vmbhatotia124.in.tum.de/.git/description

Match: ec6ed8e4cfa7babc64039869ccc7fa7869a9dc53 not-for-merge branch 'MOODLE_13_STABLE' of git://git.moodle.org/moodle
ff8ed9e11863df18a2ca571195e8c9b0e660a9bf not-for-merge branch 'MOODLE_14_STABLE' of git://git.moodle.org/moodle
20ea0682124c3117ea04f8d83a4fb84747b30437 not-for-merge branch 'MOODLE_15_STABLE' of git://git.moodle.org/moodle
fb1a72d5c2fc61a4dbb9a213d78c6b75fc0098d6 not-for-merge branch 'MOODLE_16_STABLE' of git://git.moodle.org/moodle
cb6d0894c33e0cf9193f05f7c615b1902b371c75 not-for-merge branch 'MOODLE_17_STABLE' of git://git.moodle.org/moodle
91a49999829e23f08502a646d84eb0333405cc16 not-for-merge branch 'MOODLE_18_STABLE' of git://git.moodle.org/moodle
572729aaa5b23c087f712e4fe4c43fa5d7cc1853 not-for-merge branch 'MOODLE_19_STABLE' of git://git.moodle.org/moodle
c4f6df5a1ac39818b6988890d36896e049b0e99d not-for-merge branch 'MOODLE_20_STABLE' of git://git.moodle.org/moodle
6ccbbe593649ce5d5a47d8046f2e30c739cd2a20 not-for-merge branch 'MOODLE_21_STABLE' of git://git.moodle.org/moodle
9c458edc33577cee5fee343333aa00a7b54fcfdd not-for-merge branch 'MOODLE_22_STABLE' of git://git.moodle.org/moodle
cbb12cf9724a0d7248a9ab81eea51fbb3a1eb59c not-for-merge branch 'MOODLE_23_STABLE' of git://git.moodle.org/moodle
928f14b3cc509b9ad27b3172a8417e2ffe03ce72 not-for-merge branch 'MOODLE_24_STABLE' of git://git.moodle.org/moodle
e4a9d2b9f62391813478f0f048de1ea769c1d565 not-for-merge branch 'MOODLE_25_STABLE' of git://git.moodle.org/moodle
97c956f97073448db95ce87aef04d9740989c645 not-for-merge branch 'MOODLE_26_STABLE' of git://git.moodle.org/moodle
54a393ab62c9ac86b08bc7130a80dd8685ff0adf not-for-merge branch 'MOODLE_27_STABLE' of git://git.moodle.org/moodle
aba54964abec2081ba139ad0ea1a4f5627c24fa7 not-for-merge branch 'MOODLE_28_STABLE' of git://git.moodle.org/moodle
382d80646b7efbcae6f80a1b78ebdad78f5fd24e not-for-merge branch 'MOODLE_29_STABLE' of git://git.moodle.org/moodle
0bd0ee444a07818fc495c95697ea1ec1a6abeefb not-for-merge branch 'MOODLE_30_STABLE' of git://git.moodle.org/moodle
3c33177dd21e3a46e8825b2df3cb3476936b68ee not-for-merge branch 'MOODLE_310_STABLE' of git://git.moodle.org/moodle
375a1163378f4fd5af36aa633c08c0431c9ad74b not-for-merge branch 'MOODLE_311_STABLE' of git://git.moodle.org/moodle
92e218fd8adafbe8822dbc0e611b540f71764792 not-for-merge branch 'MOODLE_31_STABLE' of git://git.moodle.org/moodle
45f418c1fb6b133e024cc09b346936e80b125078 not-for-merge branch 'MOODLE_32_STABLE' of git://git.moodle.org/moodle
ae82333cf25219ba627538f7e8de72f0b4028460 not-for-merge branch 'MOODLE_33_STABLE' of git://git.moodle.org/moodle
9650f3f56f74941b1ed03833a9e0f55cc7bb7082 not-for-merge branch 'MOODLE_34_STABLE' of git://git.moodle.org/moodle
22984eaeccf9ccd72572cc4cc51ae9372cefa06d not-for-merge branch 'MOODLE_35_STABLE' of git://git.moodle.org/moodle
940aa17049aa429b03cd39a241f6e90c0b1190b7 not-for-merge branch 'MOODLE_36_STABLE' of git://git.moodle.org/moodle
3517c9c9ad10ee2ca233ef4ed8c2a429798b9dd0 not-for-merge branch 'MOODLE_37_STABLE' of git://git.moodle.org/moodle
49648fdf30aae05b61604a12549436cee8c96436 not-for-merge branch 'MOODLE_38_STABLE' of git://git.moodle.org/moodle
1a1d59ef61d75f6e553feccbc8feb62bca7dcd9f not-for-merge branch 'MOODLE_39_STABLE' of git://git.moodle.org/moodle
b5f4e0ce3dde78633696f892a0844574d43af4d0 not-for-merge branch 'MOODLE_400_STABLE' of git://git.moodle.org/moodle
f9c5802f4ec72894f8722a9fe8dc3c2b917afd1a not-for-merge branch 'MOODLE_401_STABLE' of git://git.moodle.org/moodle
34b34aed9c707d37202da7bb80603a87dac77f0e not-for-merge branch 'MOODLE_402_STABLE' of git://git.moodle.org/moodle
fd32ceac7ccb45ea3dace04ba0766f775756deda not-for-merge branch 'MOODLE_403_STABLE' of git://git.moodle.org/moodle
9557a525696b2e7eeef49a95d3eacb7be374a71a not-for-merge branch 'MOODLE_404_STABLE' of git://git.moodle.org/moodle
7d7a871eddf81cdc1e6f5ea9dda67cf9058dd032 not-for-merge branch 'main' of git://git.moodle.org/moodle
7d7a871eddf81cdc1e6f5ea9dda67cf9058dd032 not-for-merge branch 'master' of git://git.moodle.org/moodle
Used regex: ^[a-f0-9]{40}\s+(not-for-merge\s+)?branch
URL: https://vmbhatotia124.in.tum.de/.git/FETCH_HEAD

Match: cda2e481342ba0644f665ff8e91342abb009192a
Used regex: ^[a-f0-9]{40}$
URL: https://vmbhatotia124.in.tum.de/.git/ORIG_HEAD

solution (Mitigation):
Restrict access to the SCM files/folders for authorized systems
only.

############################################################

host: vmbhatotia124.in.tum.de, ip: 131.159.89.183, - port: -¶

5.0 - Missing 'HttpOnly' Cookie Attribute (HTTP)
2024-07-15T20:58:25Z - 1f788d95-1e7a-4ebe-bba5-5a42e3447260 - 1.3.6.1.4.1.25623.1.0.105925
impact:
summary: The remote HTTP web server / application is missing to set the
'HttpOnly' cookie attribute for one or more sent HTTP cookie.
problem: The cookie(s):

Set-Cookie: MoodleSession=replaced; path=/; secure

is/are missing the "HttpOnly" cookie attribute.

solution (Mitigation):

Set the 'HttpOnly' cookie attribute for any session cookie
- Evaluate / do an own assessment of the security impact on the web server / application and create
  an override for this result if there is none (this can't be checked automatically by this VT)

############################################################

host: vmbhatotia124.cs.tum.edu, ip: 131.159.89.183, - port: -¶

5.0 - Source Control Management (SCM) Files/Folders Accessible (HTTP)
2024-07-15T21:27:40Z - 43fc543e-9965-45f6-9be7-1fd8a682b56e - 1.3.6.1.4.1.25623.1.0.111084
impact: Based on the information provided in these files/folders an
attacker might be able to gather additional info about the structure of the system and its
applications.
summary: The script attempts to identify files/folders of a SCM
accessible at the webserver.
problem: The following SCM files/folders were identified:

Match: # git ls-files --others --exclude-from=.git/info/exclude
Used regex: ^# git ls-files
URL: https://vmbhatotia124.cs.tum.edu/.git/info/exclude

Match: DIRC
Used regex: ^DIRC
URL: https://vmbhatotia124.cs.tum.edu/.git/index

Match: Unnamed repository; edit this file 'description' to name the repository.
Used regex: ^Unnamed repository
URL: https://vmbhatotia124.cs.tum.edu/.git/description

Match: cda2e481342ba0644f665ff8e91342abb009192a
Used regex: ^[a-f0-9]{40}$
URL: https://vmbhatotia124.cs.tum.edu/.git/ORIG_HEAD

solution (Mitigation):
Restrict access to the SCM files/folders for authorized systems
only.

############################################################

host: vmbhatotia124.cs.tum.edu, ip: 131.159.89.183, - port: -¶

5.0 - Missing 'HttpOnly' Cookie Attribute (HTTP)
2024-07-15T20:58:25Z - daf1058b-2f50-442a-b606-7c8ee0783017 - 1.3.6.1.4.1.25623.1.0.105925
impact:
summary: The remote HTTP web server / application is missing to set the
'HttpOnly' cookie attribute for one or more sent HTTP cookie.
problem: The cookie(s):

Set-Cookie: MoodleSession=replaced; path=/; secure

is/are missing the "HttpOnly" cookie attribute.

solution (Mitigation):

Set the 'HttpOnly' cookie attribute for any session cookie
- Evaluate / do an own assessment of the security impact on the web server / application and create
  an override for this result if there is none (this can't be checked automatically by this VT)

############################################################

host: moodle.ase.in.tum.de, ip: 131.159.89.183, - port: -¶

5.0 - Source Control Management (SCM) Files/Folders Accessible (HTTP)
2024-07-15T21:27:09Z - 439d3c96-876b-4afb-82d5-f2262c0f7068 - 1.3.6.1.4.1.25623.1.0.111084
impact: Based on the information provided in these files/folders an
attacker might be able to gather additional info about the structure of the system and its
applications.
summary: The script attempts to identify files/folders of a SCM
accessible at the webserver.
problem: The following SCM files/folders were identified:

Match: # git ls-files --others --exclude-from=.git/info/exclude
Used regex: ^# git ls-files
URL: https://moodle.ase.in.tum.de/.git/info/exclude

Match: DIRC
Used regex: ^DIRC
URL: https://moodle.ase.in.tum.de/.git/index

Match: Unnamed repository; edit this file 'description' to name the repository.
Used regex: ^Unnamed repository
URL: https://moodle.ase.in.tum.de/.git/description

Match: cda2e481342ba0644f665ff8e91342abb009192a
Used regex: ^[a-f0-9]{40}$
URL: https://moodle.ase.in.tum.de/.git/ORIG_HEAD

solution (Mitigation):
Restrict access to the SCM files/folders for authorized systems
only.

############################################################

host: moodle.ase.in.tum.de, ip: 131.159.89.183, - port: -¶

5.0 - Missing 'HttpOnly' Cookie Attribute (HTTP)
2024-07-15T20:58:25Z - 6fb18832-8acb-47ff-b160-07bbf21cafad - 1.3.6.1.4.1.25623.1.0.105925
impact:
summary: The remote HTTP web server / application is missing to set the
'HttpOnly' cookie attribute for one or more sent HTTP cookie.
problem: The cookie(s):

Set-Cookie: MoodleSession=replaced; path=/; secure

is/are missing the "HttpOnly" cookie attribute.

solution (Mitigation):

Set the 'HttpOnly' cookie attribute for any session cookie
- Evaluate / do an own assessment of the security impact on the web server / application and create
  an override for this result if there is none (this can't be checked automatically by this VT)

############################################################

host: moodle.ase.cs.tum.edu, ip: 131.159.89.183, - port: -¶

5.0 - Source Control Management (SCM) Files/Folders Accessible (HTTP)
2024-07-15T21:26:40Z - f59d15da-1be6-46c6-8823-54c3225bf6d0 - 1.3.6.1.4.1.25623.1.0.111084
impact: Based on the information provided in these files/folders an
attacker might be able to gather additional info about the structure of the system and its
applications.
summary: The script attempts to identify files/folders of a SCM
accessible at the webserver.
problem: The following SCM files/folders were identified:

Match: # git ls-files --others --exclude-from=.git/info/exclude
Used regex: ^# git ls-files
URL: https://moodle.ase.cs.tum.edu/.git/info/exclude

Match: DIRC
Used regex: ^DIRC
URL: https://moodle.ase.cs.tum.edu/.git/index

Match: Unnamed repository; edit this file 'description' to name the repository.
Used regex: ^Unnamed repository
URL: https://moodle.ase.cs.tum.edu/.git/description

Files

original_mail_description.txt (38 KB) original_mail_description.txt

ITG Mailmaster, 06.03.2026 20:32

RJ Updated by Robert Jandow about 2 months ago Actions
Copy link
#1

[~ge65bep] Was ist der Stand bei Moodle? Es sind irgendwie immer noch Meldungen von Moodle dabei, wurden die beim letzten Update nicht geschlossen?

CW Updated by Colin Wilk about 2 months ago Actions
Copy link
#2

Das issue ist nicht wirklich nen issue. Ja moodle wurde updated.
Das ist das recommended deployment von Moodle in dem die .git repository teil des webservers ist. Das KANN ein source code leak sein aber well.... Moodle ist FOSS

Also nein ist kein issue

Actions

Copy link

Also available in: PDF Atom

Project

General

Profile

test project » import-test

Custom queries

Task #14478

Security Vulnerability Notification

host: vmbhatotia165.in.tum.de, ip: 131.159.89.189, - port: -¶

host: vmbhatotia165.cs.tum.edu, ip: 131.159.89.189, - port: -¶

host: inventory.ase.cit.tum.de, ip: 131.159.89.189, - port: -¶

host: vmbhatotia124.in.tum.de, ip: 131.159.89.183, - port: -¶

host: vmbhatotia124.in.tum.de, ip: 131.159.89.183, - port: -¶

host: vmbhatotia124.cs.tum.edu, ip: 131.159.89.183, - port: -¶

host: vmbhatotia124.cs.tum.edu, ip: 131.159.89.183, - port: -¶

host: moodle.ase.in.tum.de, ip: 131.159.89.183, - port: -¶

host: moodle.ase.in.tum.de, ip: 131.159.89.183, - port: -¶

host: moodle.ase.cs.tum.edu, ip: 131.159.89.183, - port: -¶

RJ Updated by Robert Jandow about 2 months ago Actions
Copy link
#1

CW Updated by Colin Wilk about 2 months ago Actions
Copy link
#2

Project

General

Profile

test project » import-test

Custom queries

Task #14478

Security Vulnerability Notification

host: vmbhatotia165.in.tum.de, ip: 131.159.89.189, - port: -¶

host: vmbhatotia165.cs.tum.edu, ip: 131.159.89.189, - port: -¶

host: inventory.ase.cit.tum.de, ip: 131.159.89.189, - port: -¶

host: vmbhatotia124.in.tum.de, ip: 131.159.89.183, - port: -¶

host: vmbhatotia124.in.tum.de, ip: 131.159.89.183, - port: -¶

host: vmbhatotia124.cs.tum.edu, ip: 131.159.89.183, - port: -¶

host: vmbhatotia124.cs.tum.edu, ip: 131.159.89.183, - port: -¶

host: moodle.ase.in.tum.de, ip: 131.159.89.183, - port: -¶

host: moodle.ase.in.tum.de, ip: 131.159.89.183, - port: -¶

host: moodle.ase.cs.tum.edu, ip: 131.159.89.183, - port: -¶

RJ Updated by Robert Jandow about 2 months ago ActionsCopy link #1

CW Updated by Colin Wilk about 2 months ago ActionsCopy link #2

RJ Updated by Robert Jandow about 2 months ago Actions
Copy link
#1

CW Updated by Colin Wilk about 2 months ago Actions
Copy link
#2