Open edX Platform Unrestricted Download of python_lib.zip Asset Vulnerability

A vulnerability exists in the Open edX Platform's edxapp component, prior to a specific commit, allowing unrestricted downloading of the python_lib.zip file from courses. This file may contain custom grading scripts or answers to course assignments, posing a risk for courses utilizing custom Python-graded problem blocks. Although an nginx rule to block such downloads has been available since 2016, it was only a temporary fix. With the configuration repository now deprecated and no similar protection found in Tutor, most deployments likely remain vulnerable.

Impact

The vulnerability could lead to unauthorized access to sensitive educational materials, including custom grading code and answers to course problems, particularly in courses with Python-graded assessments.

Reproduction

The vulnerability can be reproduced by attempting to download the python_lib.zip file from a course that uses custom Python-graded problem blocks, without any restrictions in place. This can be done by a user who is not part of the course team or site staff.

Remediation

Users can update to the latest version of the Open edX Platform, where this vulnerability has been addressed by restricting python_lib.zip downloads to course team members and site staff/superusers.