Skip to main content

Opencast CVE-2020-5222

HIGH
Use of Hard-coded Credentials (CWE-798)
2020-01-30 security-advisories@github.com
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Jan 30, 2020 - 21:15 nvd
HIGH 8.8

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 23 maven packages depend on org.opencastproject:opencast-kernel (13 direct, 10 indirect)

Ecosystem-wide dependent count for version 8.0.

DescriptionNVD

Opencast before 7.6 and 8.1 enables a remember-me cookie based on a hash created from the username, password, and an additional system key. This means that an attacker getting access to a remember-me token for one server can get access to all servers which allow log-in using the same credentials without ever needing the credentials. This problem is fixed in Opencast 7.6 and Opencast 8.1

AnalysisAI

Opencast before 7.6 and 8.1 enables a remember-me cookie based on a hash created from the username, password, and an additional system key. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Use of Hard-coded Credentials vulnerability could allow attackers to gain access using credentials embedded in source code.

Technical ContextAI

This vulnerability is classified as Use of Hard-coded Credentials (CWE-798), which allows attackers to gain access using credentials embedded in source code. Opencast before 7.6 and 8.1 enables a remember-me cookie based on a hash created from the username, password, and an additional system key. This means that an attacker getting access to a remember-me token for one server can get access to all servers which allow log-in using the same credentials without ever needing the credentials. This problem is fixed in Opencast 7.6 and Opencast 8.1 Affected products include: Apereo Opencast. Version information: before 7.6.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Remove hard-coded credentials, use environment variables or secrets management, rotate exposed credentials immediately.

CVE-2021-43821 HIGH POC
7.7 Dec 14

Opencast is an Open Source Lecture Capture & Video Management for Education. Rated high severity (CVSS 7.7), this vulner

CVE-2017-1000221 MEDIUM POC
6.5 Nov 17

In Opencast 2.2.3 and older if user names overlap, the Opencast search service used for publication to the media modules

CVE-2021-43807 MEDIUM POC
6.5 Dec 14

Opencast is an Open Source Lecture Capture & Video Management for Education. Rated medium severity (CVSS 6.5), this vuln

CVE-2021-32623 MEDIUM POC
6.5 Jun 16

Opencast is a free and open source solution for automated video capture and distribution. Rated medium severity (CVSS 6.

CVE-2020-5231 MEDIUM POC
6.5 Jan 30

In Opencast before 7.6 and 8.1, users with the role ROLE_COURSE_ADMIN can use the user-utils endpoint to create new user

CVE-2020-5206 CRITICAL
10.0 Jan 30

In Opencast before 7.6 and 8.1, using a remember-me cookie with an arbitrary username can cause Opencast to assume prope

CVE-2017-1000217 HIGH
8.8 Nov 17

Opencast 2.3.2 and older versions are vulnerable to script injections through media and metadata in the player and media

CVE-2020-5229 HIGH
8.1 Jan 30

Opencast before 8.1 stores passwords using the rather outdated and cryptographically insecure MD5 hash algorithm. Rated

CVE-2024-52797 HIGH
7.5 Nov 21

Opencast is free and open source software for automated video capture and distribution. Rated high severity (CVSS 7.5),

CVE-2020-5230 HIGH
7.5 Jan 30

Opencast before 8.1 and 7.6 allows almost arbitrary identifiers for media packages and elements to be used. Rated high s

CVE-2020-5228 HIGH
7.5 Jan 30

Opencast before 8.1 and 7.6 allows unauthorized public access to all media and metadata by default via OAI-PMH. Rated hi

CVE-2022-41965 MEDIUM
6.1 Nov 28

Opencast is a free, open-source platform to support the management of educational audio and video content. Rated medium

Share

CVE-2020-5222 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy