Impact

The JWT authentication used by MFEs to make REST requests has code that trusts the JWT and updates the user record in the database to match it. This code will even automatically create the user in that service, if it doesn't already exist. I believe the idea was to be able to allow users to use other services like ecommerce without having to worry about syncing user updates between the LMS and those services–the LMS would just issue the token, and then those services would update themselves based on the token being presented by the user.

In order to make sure that the LMS itself does not update its fields from a possibly outdated JWT, it has configuration to set the EDX_DRF_EXTENSIONS['JWT_PAYLOAD_USER_ATTRIBUTE_MAPPING'] setting be an empty dictionary. Unfortunately, this was not being set for Studio.

The vulnerability is this:

1. User rusty has is_staff=True for his auth_user entry, making them global staff.
2. User rusty is currently logged in and has a valid JWT token in their edx-jwt-cookie-header-payload cookie.
3. An administrator sets is_staff=False for user rusty as part of the off-boarding process, but does not change their username. At this point, rusty cannot access the Django admin, even if their session was still active.
4. While user rusty still has a valid JWT token (up to 1 hour), they reload an MFE page that makes API calls, such as course authoring (e.g. https://apps.next-release.openedx.org/course-authoring/home).
5. The code in our JwtAuthentication class will see that the token is marked with is_staff=True, while the database shows is_staff=False, and will update the database to match the token, making rusty global staff again.