CVE-2024-22209 - OpenCVE

Open edX Platform is a service-oriented platform for authoring and delivering online learning. A user with a JWT and more limited scopes could call endpoints exceeding their access. This vulnerability has been patched in commit 019888f.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Edx	Edx-platform

Configuration 1 [-]

cpe:2.3:a:edx:edx-platform:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/openedx/edx-platform/blob/0b3e4d73b6fb6f41ae87cf2b77bca12052ee1ac8/lms/djangoapps/courseware/block_render.py#L752-L775
https://github.com/openedx/edx-platform/commit/019888f3d15beaebcb7782934f6c43b0c2b3735e
https://github.com/openedx/edx-platform/security/advisories/GHSA-qx8m-mqx3-j9fm

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-01-13T07:40:44.052Z

Updated: 2024-08-01T22:35:34.932Z

Reserved: 2024-01-08T04:59:27.374Z

Link: CVE-2024-22209

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2024-01-13T08:15:07.557

Modified: 2024-01-22T19:20:27.757

Link: CVE-2024-22209

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-22209", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-01-08T04:59:27.374Z", "datePublished": "2024-01-13T07:40:44.052Z", "dateUpdated": "2024-08-01T22:35:34.932Z"}, "containers": {"cna": {"title": "XBlock custom auth does not respect JWT Scopes", "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "lang": "en", "description": "CWE-284: Improper Access Control", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/openedx/edx-platform/security/advisories/GHSA-qx8m-mqx3-j9fm", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/openedx/edx-platform/security/advisories/GHSA-qx8m-mqx3-j9fm"}, {"name": "https://github.com/openedx/edx-platform/commit/019888f3d15beaebcb7782934f6c43b0c2b3735e", "tags": ["x_refsource_MISC"], "url": "https://github.com/openedx/edx-platform/commit/019888f3d15beaebcb7782934f6c43b0c2b3735e"}, {"name": "https://github.com/openedx/edx-platform/blob/0b3e4d73b6fb6f41ae87cf2b77bca12052ee1ac8/lms/djangoapps/courseware/block_render.py#L752-L775", "tags": ["x_refsource_MISC"], "url": "https://github.com/openedx/edx-platform/blob/0b3e4d73b6fb6f41ae87cf2b77bca12052ee1ac8/lms/djangoapps/courseware/block_render.py#L752-L775"}], "affected": [{"vendor": "openedx", "product": "edx-platform", "versions": [{"version": "< commit 019888f", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-01-13T07:40:44.052Z"}, "descriptions": [{"lang": "en", "value": "Open edX Platform is a service-oriented platform for authoring and delivering online learning. A user with a JWT and more limited scopes could call endpoints exceeding their access. This vulnerability has been patched in commit 019888f."}], "source": {"advisory": "GHSA-qx8m-mqx3-j9fm", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:35:34.932Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/openedx/edx-platform/security/advisories/GHSA-qx8m-mqx3-j9fm", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/openedx/edx-platform/security/advisories/GHSA-qx8m-mqx3-j9fm"}, {"name": "https://github.com/openedx/edx-platform/commit/019888f3d15beaebcb7782934f6c43b0c2b3735e", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/openedx/edx-platform/commit/019888f3d15beaebcb7782934f6c43b0c2b3735e"}, {"name": "https://github.com/openedx/edx-platform/blob/0b3e4d73b6fb6f41ae87cf2b77bca12052ee1ac8/lms/djangoapps/courseware/block_render.py#L752-L775", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/openedx/edx-platform/blob/0b3e4d73b6fb6f41ae87cf2b77bca12052ee1ac8/lms/djangoapps/courseware/block_render.py#L752-L775"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:edx:edx-platform:*:*:*:*:*:*:*:*", "matchCriteriaId": "1BD13825-8465-4BC9-86A9-392515F89403", "versionEndExcluding": "2024-01-12", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Open edX Platform is a service-oriented platform for authoring and delivering online learning. A user with a JWT and more limited scopes could call endpoints exceeding their access. This vulnerability has been patched in commit 019888f."}, {"lang": "es", "value": "Open edX Platform es una plataforma orientada a servicios para crear y ofrecer aprendizaje en l\u00ednea. Un usuario con un JWT y alcances m\u00e1s limitados podr\u00eda llamar a endpoints que excedan su acceso. Esta vulnerabilidad ha sido parcheada en el commit 019888f."}], "id": "CVE-2024-22209", "lastModified": "2024-01-22T19:20:27.757", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-01-13T08:15:07.557", "references": [{"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://github.com/openedx/edx-platform/blob/0b3e4d73b6fb6f41ae87cf2b77bca12052ee1ac8/lms/djangoapps/courseware/block_render.py#L752-L775"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/openedx/edx-platform/commit/019888f3d15beaebcb7782934f6c43b0c2b3735e"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/openedx/edx-platform/security/advisories/GHSA-qx8m-mqx3-j9fm"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "security-advisories@github.com", "type": "Primary"}]}