Security: Patch for disable user refreshable JWT token vulnerability

Hello everyone,

We just released a change (patches are attached to this email) for a security vulnerability in edx-platform regarding usable JWT token vulnerability. See the email attachments for a patch for the current release, open-release/olive.master and for open-release/nutmeg.master

Without this patch, it is possible for a disabled user to keep refreshing JWT token and access all the JWT-protected endpoints and views.

We advise you to patch your instances as soon as possible. The patch has been applied to the latest open-release (olive.master).

If you have any questions, feel free to reach out to me.


Ali Akbar

edX Phoenix

P.S. Patch is attached in gzip form to prevent Google Groups from modifying the patch’s line endings.

Where is the attached patch?