CVE-2024-22209 - OpenCVE

Open edX Platform is a service-oriented platform for authoring and delivering online learning. A user with a JWT and more limited scopes could call endpoints exceeding their access. This vulnerability has been patched in commit 019888f.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Edx	Edx-platform

Configuration 1 [-]

cpe:2.3:a:edx:edx-platform:*:*:*:*:*:*:*:*

References

Link	Resource
https://github.com/openedx/edx-platform/blob/0b3e4d73b6fb6f41ae87cf2b77bca12052ee1ac8/lms/djangoapps/courseware/block_render.py#L752-L775	Product
https://github.com/openedx/edx-platform/commit/019888f3d15beaebcb7782934f6c43b0c2b3735e	Patch
https://github.com/openedx/edx-platform/security/advisories/GHSA-qx8m-mqx3-j9fm	Exploit Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-01-13T07:40:44.052Z

Updated: 2024-01-13T07:40:44.052Z

Reserved: 2024-01-08T04:59:27.374Z

Link: CVE-2024-22209

JSON object: View

NVD Information

Status : Analyzed

Published: 2024-01-13T08:15:07.557

Modified: 2024-01-22T19:20:27.757

Link: CVE-2024-22209

JSON object: View

Redhat Information

No data.

CWE

CWE-284

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2024-22209", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-01-08T04:59:27.374Z", "datePublished": "2024-01-13T07:40:44.052Z", "dateUpdated": "2024-01-13T07:40:44.052Z"}, "containers": {"cna": {"title": "XBlock custom auth does not respect JWT Scopes", "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "lang": "en", "description": "CWE-284: Improper Access Control", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/openedx/edx-platform/security/advisories/GHSA-qx8m-mqx3-j9fm", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/openedx/edx-platform/security/advisories/GHSA-qx8m-mqx3-j9fm"}, {"name": "https://github.com/openedx/edx-platform/commit/019888f3d15beaebcb7782934f6c43b0c2b3735e", "tags": ["x_refsource_MISC"], "url": "https://github.com/openedx/edx-platform/commit/019888f3d15beaebcb7782934f6c43b0c2b3735e"}, {"name": "https://github.com/openedx/edx-platform/blob/0b3e4d73b6fb6f41ae87cf2b77bca12052ee1ac8/lms/djangoapps/courseware/block_render.py#L752-L775", "tags": ["x_refsource_MISC"], "url": "https://github.com/openedx/edx-platform/blob/0b3e4d73b6fb6f41ae87cf2b77bca12052ee1ac8/lms/djangoapps/courseware/block_render.py#L752-L775"}], "affected": [{"vendor": "openedx", "product": "edx-platform", "versions": [{"version": "< commit 019888f", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-01-13T07:40:44.052Z"}, "descriptions": [{"lang": "en", "value": "Open edX Platform is a service-oriented platform for authoring and delivering online learning. A user with a JWT and more limited scopes could call endpoints exceeding their access. This vulnerability has been patched in commit 019888f."}], "source": {"advisory": "GHSA-qx8m-mqx3-j9fm", "discovery": "UNKNOWN"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:edx:edx-platform:*:*:*:*:*:*:*:*", "matchCriteriaId": "1BD13825-8465-4BC9-86A9-392515F89403", "versionEndExcluding": "2024-01-12", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Open edX Platform is a service-oriented platform for authoring and delivering online learning. A user with a JWT and more limited scopes could call endpoints exceeding their access. This vulnerability has been patched in commit 019888f."}, {"lang": "es", "value": "Open edX Platform es una plataforma orientada a servicios para crear y ofrecer aprendizaje en l\u00ednea. Un usuario con un JWT y alcances m\u00e1s limitados podr\u00eda llamar a endpoints que excedan su acceso. Esta vulnerabilidad ha sido parcheada en el commit 019888f."}], "id": "CVE-2024-22209", "lastModified": "2024-01-22T19:20:27.757", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-01-13T08:15:07.557", "references": [{"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://github.com/openedx/edx-platform/blob/0b3e4d73b6fb6f41ae87cf2b77bca12052ee1ac8/lms/djangoapps/courseware/block_render.py#L752-L775"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/openedx/edx-platform/commit/019888f3d15beaebcb7782934f6c43b0c2b3735e"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/openedx/edx-platform/security/advisories/GHSA-qx8m-mqx3-j9fm"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "security-advisories@github.com", "type": "Primary"}]}