Security: Patch for SAML endpoint configuration

We have just released a change for a security vulnerability in edx-platform with the SAML configuration endpoints.

Without this patch, it is possible for unprivileged users to modify or delete SAML Configuration objects. This comes from the ModelViewSet base class from django, which automatically implements DELETE and POST endpoints, unsecured unless decorated properly. Our fix updates ModelViewSet to ReadOnlyModelViewSet, preventing non-GET requests.

We advise you to patch your instances as soon as possible by upgrading to at least commit afceb272 on the master branch or ab7aba52 on Maple, or by cherry-picking that change as needed. If you have any questions, feel free to reach out to me.

4 Likes