Open edX Enterprise Service SAML Provider Data Sync Endpoint Server-Side Request Forgery Vulnerability

A server-side request forgery (SSRF) vulnerability has been identified in the Open edX Enterprise Service app, specifically in versions 7.0.2 prior to 7.0.4. The issue arises in the sync_provider_data endpoint of the SAMLProviderDataViewSet, where SAML metadata is fetched from a URL specified in the SAMLProviderConfig.metadata_source. An authenticated user with the Enterprise Admin role can manipulate this field to point to an arbitrary URL, which is then accessed by the server without proper validation or security measures. This vulnerability allows for unauthorized outbound HTTP requests, potentially leading to exposure of internal services or cloud metadata.

Impact

Exploitation of this vulnerability allows an Enterprise Admin to make the server issue arbitrary outbound HTTP requests. This could be used to access internal APIs, scan internal networks, or steal cloud credentials by accessing metadata services that provide temporary IAM credentials.

Reproduction

To reproduce this vulnerability, an authenticated user with the Enterprise Admin role can patch the SAML provider configuration to include a malicious metadata URL, such as one pointing to a cloud metadata service. After setting the URL, the user can call the sync_provider_data endpoint, which will trigger a server-side fetch of the metadata. The server's response will indicate whether the internal URL was reached, confirming successful exploitation.

Remediation

Users are advised to update to Open edX Enterprise Service version 7.0.5, where this vulnerability has been fixed. Additionally, operators should enforce network-level egress filtering to block outbound connections from the Open edX server to link-local and private IP ranges, particularly for hostname-based URLs that cannot be validated at the application layer.