The cURL wrapper in Moodle retained the original request headers when following redirects, so HTTP authorization header information could be unintentionally sent in requests to redirect URLs.
{ "binaries": [ { "binary_version": "3.0.3+dfsg-0ubuntu1", "binary_name": "moodle" } ] }