Open edX Platform Server-Side Request Forgery Vulnerability in SAML Provider Data Sync Endpoint

A server-side request forgery (SSRF) vulnerability has been identified in the Open edX Platform within the SAMLProviderDataViewSet.sync_provider_data endpoint. This issue allows authenticated Enterprise Admin users to send arbitrary URLs via the metadata_url POST parameter. The provided URL is then used in a request without proper validation, enabling potential access to internal network services, cloud metadata endpoints, or other attacker-controlled locations. The vulnerability arises from a lack of URL validation, IP filtering, and scheme enforcement, creating opportunities for exploitation by users with Enterprise Admin privileges.

Impact

Exploitation of this vulnerability allows for unauthorized access to internal network services and cloud metadata endpoints, such as AWS metadata services, which could lead to the theft of IAM credentials and subsequent remote code execution on cloud infrastructure. Additionally, the vulnerability could be used to scan internal networks or access internal APIs and services not exposed to the internet.

Reproduction

To reproduce this vulnerability, an authenticated user with Enterprise Admin privileges can send a POST request to the 'sync_provider_data' endpoint with a crafted 'metadata_url' parameter. The absence of validation allows the request to be forwarded to internal services or cloud metadata endpoints, depending on the URL provided.

Remediation

Users can block private IP addresses and link-local addresses, including cloud metadata endpoints, by default. However, for deployments where the SAML Identity Provider is on the same private network as the Open edX server, this setting can be adjusted. Instructions for modifying this setting are available in the Open edX documentation.