CVE-2024-41806

Name of the Vulnerable Software and Affected Versions: Open edX Platform versions master, palm, olive, nutmeg, maple, lilac, koa, or juniper

Description: The issue is related to inadequate access control in the Open edX Platform, specifically with the AWS S3 Bucket Handler component. This may allow a remote attacker to disclose protected information. Instructors can upload csv files containing learner information to create cohorts in the instructor dashboard, and with certain storage backends, these uploads may become publicly available. The patch ensures that cohorts data uploaded to AWS S3 buckets is written with a private ACL.

Recommendations: For versions master, palm, olive, nutmeg, maple, lilac, koa, or juniper, apply the patch in commit cb729a3ced0404736dfa0ae768526c82b608657b to ensure that cohorts data uploaded to AWS S3 buckets is written with a private ACL. Beyond patching, ensure that existing cohorts uploads have a private ACL, or take other precautions to avoid public access.