Security Alert

Severity: Critical
Category: Configuration
Affected Projects: configuration, edx-platform
Reporter: edX
Permanent URL:

On March 6, 2015, we discovered and resolved a bug in the Ansible edxapp role that could allow different websites to impersonate edX accounts (though we’re not aware that any such activity has occurred). The bug was introduced on February 25, 2015. If you use Ansible to maintain deployments of edx-platform and have run Ansible since February 25, 2015, we strongly recommend that you update to the latest version of configuration and re-run your playbooks to apply the fix.  Note that this vulnerability was not present in either the Aspen or Birch named releases of edX.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2015-2186 to this issue. This is an entry on the CVE list (, which standardizes names for security problems.

More Information

The bug caused the CORS_ORIGIN_ALLOW_ALL setting to be set to a string whose value was “False” instead of a boolean False. The flag evaluated to boolean True, causing the site to accept cross-site requests from any website. We have changed the default value and updated all our environments.

The bug was introduced in pull request 1869.

The bug was fixed in pull request 1885.