The Open edX Platform's sync_provider_data endpoint in SAMLProviderDataViewSet allows authenticated Enterprise Admin users to specify a metadata_url parameter that is passed directly to the Python requests.get() function without any URL validation, IP filtering, or scheme enforcement. This lack of validation enables Server-Side Request Forgery (CWE-918), permitting attackers with Enterprise Admin privileges to cause the server to make HTTP requests to internal network resources, cloud metadata services such as AWS 169.254.169.254, or other attacker-controlled destinations. The vulnerability is fixed in commits 6fda1f120ff5a590d120ae1180185525f399c6d0 and 70a56246dd9c9df57c596e64bdd8a11b1d9da054. The affected versions are those prior to these commits. The vulnerability has a CVSS 3.1 score of 8.5 (High), reflecting network attack vector, low attack complexity, required privileges of an authenticated Enterprise Admin, no user interaction, scope change, high confidentiality impact, low integrity impact, and no availability impact. The vendor manages remediation for this cloud-hosted service.

An attacker with Enterprise Admin privileges can exploit this SSRF vulnerability to make the server perform HTTP requests to internal network services or cloud metadata endpoints, potentially exposing sensitive information or enabling further attacks within the internal network. The impact includes high confidentiality loss and limited integrity impact. There are no known exploits in the wild at this time.

A patch is available and has been applied in commits 6fda1f120ff5a590d120ae1180185525f399c6d0 and 70a56246dd9c9df57c596e64bdd8a11b1d9da054. Users of openedx-platform should upgrade to a version including these commits to remediate the vulnerability. Since this is a cloud-hosted service, the vendor manages remediation server-side; users should verify with the vendor that their environment is updated accordingly. No additional mitigation steps are indicated by the vendor advisory.