CVE-2021-36395: 
PHP vulnerability analysis and mitigation

CVE-2021-36395 is a vulnerability discovered in Moodle's file repository system where URL parsing required additional recursion handling to mitigate the risk of recursion denial of service. The vulnerability affects Moodle versions 3.11, 3.10 to 3.10.4, 3.9 to 3.9.7, and earlier unsupported versions. It was reported by security researcher 0xkasper and was addressed in versions 3.11.1, 3.10.5, and 3.9.8 (Moodle Forum).

The vulnerability is classified as a recursion-based denial of service issue, identified with CWE-674 (Uncontrolled Recursion) and CWE-400 (Uncontrolled Resource Consumption). The CVSS v3.1 base score is 7.5 (HIGH), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating that the vulnerability can be exploited remotely with no privileges or user interaction required (NVD).

The vulnerability could lead to a denial of service condition through uncontrolled recursion in the file repository's URL parsing mechanism. The high CVSS score of 7.5 indicates significant potential impact on system availability, though there are no direct impacts on confidentiality or integrity (NVD).

The vulnerability has been fixed in Moodle versions 3.11.1, 3.10.5, and 3.9.8. Users are advised to upgrade to these or later versions to mitigate the risk. The fix involved implementing additional recursion handling in the file repository's URL parsing mechanism (Moodle Forum).