Skip to main content

Opencast CVE-2020-5228

HIGH
Missing Authorization (CWE-862)
2020-01-30 security-advisories@github.com
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
CVE Published
Jan 30, 2020 - 20:15 nvd
HIGH 7.5

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 3 maven packages depend on org.opencastproject:opencast-oaipmh-api (2 direct, 1 indirect)

Ecosystem-wide dependent count for version 8.0.

DescriptionNVD

Opencast before 8.1 and 7.6 allows unauthorized public access to all media and metadata by default via OAI-PMH. OAI-PMH is part of the default workflow and is activated by default, requiring active user intervention of users to protect media. This leads to users unknowingly handing out public access to events without their knowledge. The problem has been addressed in Opencast 7.6 and 8.1 where the OAI-PMH endpoint is configured to require users with ROLE_ADMIN by default. In addition to this, Opencast 9 removes the OAI-PMH publication from the default workflow, making the publication a conscious decision users have to make by updating their workflows.

AnalysisAI

Opencast before 8.1 and 7.6 allows unauthorized public access to all media and metadata by default via OAI-PMH. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.

Technical ContextAI

This vulnerability is classified as Missing Authorization (CWE-862), which allows attackers to access resources or perform actions without proper authorization checks. Opencast before 8.1 and 7.6 allows unauthorized public access to all media and metadata by default via OAI-PMH. OAI-PMH is part of the default workflow and is activated by default, requiring active user intervention of users to protect media. This leads to users unknowingly handing out public access to events without their knowledge. The problem has been addressed in Opencast 7.6 and 8.1 where the OAI-PMH endpoint is configured to require users with ROLE_ADMIN by default. In addition to this, Opencast 9 removes the OAI-PMH publication from the default workflow, making the publication a conscious decision users have to make by updating their workflows. Affected products include: Apereo Opencast. Version information: before 8.1.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Implement role-based access control, validate authorization on every request server-side, apply principle of least privilege.

CVE-2021-43821 HIGH POC
7.7 Dec 14

Opencast is an Open Source Lecture Capture & Video Management for Education. Rated high severity (CVSS 7.7), this vulner

CVE-2017-1000221 MEDIUM POC
6.5 Nov 17

In Opencast 2.2.3 and older if user names overlap, the Opencast search service used for publication to the media modules

CVE-2021-43807 MEDIUM POC
6.5 Dec 14

Opencast is an Open Source Lecture Capture & Video Management for Education. Rated medium severity (CVSS 6.5), this vuln

CVE-2021-32623 MEDIUM POC
6.5 Jun 16

Opencast is a free and open source solution for automated video capture and distribution. Rated medium severity (CVSS 6.

CVE-2020-5231 MEDIUM POC
6.5 Jan 30

In Opencast before 7.6 and 8.1, users with the role ROLE_COURSE_ADMIN can use the user-utils endpoint to create new user

CVE-2020-5206 CRITICAL
10.0 Jan 30

In Opencast before 7.6 and 8.1, using a remember-me cookie with an arbitrary username can cause Opencast to assume prope

CVE-2017-1000217 HIGH
8.8 Nov 17

Opencast 2.3.2 and older versions are vulnerable to script injections through media and metadata in the player and media

CVE-2020-5222 HIGH
8.8 Jan 30

Opencast before 7.6 and 8.1 enables a remember-me cookie based on a hash created from the username, password, and an add

CVE-2020-5229 HIGH
8.1 Jan 30

Opencast before 8.1 stores passwords using the rather outdated and cryptographically insecure MD5 hash algorithm. Rated

CVE-2024-52797 HIGH
7.5 Nov 21

Opencast is free and open source software for automated video capture and distribution. Rated high severity (CVSS 7.5),

CVE-2020-5230 HIGH
7.5 Jan 30

Opencast before 8.1 and 7.6 allows almost arbitrary identifiers for media packages and elements to be used. Rated high s

CVE-2022-41965 MEDIUM
6.1 Nov 28

Opencast is a free, open-source platform to support the management of educational audio and video content. Rated medium

Share

CVE-2020-5228 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy