On Tuesday, January 24, we’ll be releasing version 7.2.2 of xblock-lti-consumer. This release will contain a Low level security fix as determined using CVSS.
Affected repository: xblock-lti-consumer.
Vulnerability Score: Low (CVSS Score).
Patch release date & time: 2023-01-24 (time TBD).
This post will be updated with the vulnerability details after the patch is released.
This is planned to be released at 10am EST on 2023-01-24.
Note for maintainers: The package name is lti-consumer-xblock, which differs from the repo name.
As far as the master/main branches of the edx and openedx orgs are concerned, I only see it as a direct dependency in edx/edx-exams and openedx/edx-platform.
The details of this patch are now published at: Vulnerability in LTI 1.3 Grade Pass Back Implementation · Advisory · openedx/xblock-lti-consumer · GitHub
lti-consumer-xblock version 7.2.2 is now available with a fix for this issue.
I’m seeing this topic just now. The version of the xblock that ships with Olive is 4.5.0. Is version 4.5.0 affected by the vulnerability? If yes, can we safely upgrade to 7.2.2? In my understanding there are at least three breaking changes between 4.5.0 and 7.2.2, so it seems unlikely that we can upgrade without any problem in Olive.