Security: Patch for LMS user API

Hello all,

We have released a change for a security vulnerability with the LMS user API. No patch is required for Lilac or any older release. If you are using master, please update, or apply the attached patch: user-api.patch (8.1 KB)

Without this patch, it is possible for authenticated users to see the email address and LMS internal user ID of any other user given their username, even if that user’s profile was set to private.

We advise you to patch your instances as soon as possible. Because of an issue with our security patching process, we’ve already added this fix to our public repo, and this message ended up delayed. If you use the master branch, you can confirm that you already have the patch if git merge-base --is-ancestor c0bed8795 master; echo $? returns 0.

If you have any questions, feel free to reach out to me.

1 Like