CVE-2021-32476 in Moodleinfo

Summary

by MITRE • 03/11/2022

A denial-of-service risk was identified in the draft files area, due to it not respecting user file upload limits. Moodle versions 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8, 3.5 to 3.5.17 and earlier unsupported versions are affected.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 03/18/2026

The vulnerability identified as CVE-2021-32476 represents a critical denial-of-service weakness within the Moodle learning management system that specifically targets the draft files handling functionality. This issue arises from the system's failure to properly enforce user-defined file upload limitations within the draft files area, creating a potential avenue for malicious actors to exhaust system resources through excessive file uploads. The affected versions span across multiple Moodle release branches including 3.10.0 through 3.10.3, 3.9.0 through 3.9.6, 3.8.0 through 3.8.8, 3.5.0 through 3.5.17, along with earlier unsupported versions that remain vulnerable to this flaw. This vulnerability falls under the category of insufficient resource management as classified by CWE-400, specifically addressing the improper handling of resource limits within the application's file management subsystem. The technical implementation flaw occurs when the system processes draft files without validating against configured upload size constraints, allowing users to potentially upload files that exceed the established limits.

The operational impact of this vulnerability extends beyond simple service disruption to encompass potential system instability and resource exhaustion across multiple server components. When exploited, the vulnerability enables attackers to consume excessive disk space and memory resources within the Moodle environment, potentially leading to complete service unavailability for legitimate users. The draft files area in Moodle serves as a temporary storage location for files uploaded by users during various activities such as assignment submissions, forum posts, and resource management, making this attack vector particularly dangerous as it targets core functionality. The denial-of-service condition manifests when the system becomes overwhelmed by oversized file uploads that bypass normal validation mechanisms, causing the application to either crash or become unresponsive. This vulnerability aligns with ATT&CK technique T1499.004 which describes the use of resource exhaustion attacks to disrupt services and systems.

Mitigation strategies for CVE-2021-32476 require immediate implementation of version upgrades to patched Moodle releases, as the vulnerability has been addressed in subsequent updates. Organizations should prioritize upgrading to Moodle versions 3.10.4, 3.9.7, 3.8.9, or 3.5.18 and later, which contain the necessary patches to enforce proper file upload limit validation. Additionally, administrators should implement enhanced monitoring of draft files areas to detect unusual upload patterns and establish more restrictive file size limits at the system level. The fix implemented in patched versions addresses the root cause by enforcing proper validation of file upload limits within the draft files processing logic, ensuring that all file uploads respect configured constraints before being accepted into the system. Security teams should also consider implementing network-level controls and rate limiting mechanisms to prevent abuse of the draft files functionality, while maintaining audit logs to track file upload activities and identify potential exploitation attempts. This vulnerability demonstrates the critical importance of proper input validation and resource limit enforcement in web applications, particularly those handling user-generated content and file uploads.

Reservation

05/07/2021

Disclosure

03/11/2022

Moderation

accepted

CPE

ready

EPSS

0.01047

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!