Open edX Platform's instructor upload CSV for cohort creation not Private by Default

The Open edX Platform is a learning management platform. Instructors can upload csv files containing learner information to create cohorts in the instructor dashboard. These files are uploaded using the django default storage. With certain storage backends, uploads may become publicly available when the uploader uses versions master, palm, olive, nutmeg, maple, lilac, koa, or juniper. The patch in commit cb729a3ced0404736dfa0ae768526c82b608657b ensures that cohorts data uploaded to AWS S3 buckets is written with a private ACL. Beyond patching, deployers should also ensure that existing cohorts uploads have a private ACL, or that other precautions are taken to avoid public access.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

访问控制不恰当

Open edX Platform 安全漏洞

Open edX Platform是Open edX开源的一套开源的课程管理系统（CMS）。该系统可用于MOOCs（大规模网络开放课程）以及较小的课程和培训模块。 Open edX Platform存在安全漏洞，该漏洞源于对于某些存储后端，上传内容可能会公开。

N/A

N/A