Skip to main content

Opencast CVE-2021-32623

MEDIUM
Improper Restriction of Recursive Entity References in DTDs (CWE-776)
2021-06-16 security-advisories@github.com
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

1
CVE Published
Jun 16, 2021 - 00:15 nvd
MEDIUM 6.5

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 19 maven packages depend on org.opencastproject:opencast-kernel (11 direct, 8 indirect)

Ecosystem-wide dependent count for version 9.6.

DescriptionNVD

Opencast is a free and open source solution for automated video capture and distribution. Versions of Opencast prior to 9.6 are vulnerable to the billion laughs attack, which allows an attacker to easily execute a (seemingly permanent) denial of service attack, essentially taking down Opencast using a single HTTP request. To exploit this, users need to have ingest privileges, limiting the group of potential attackers The problem has been fixed in Opencast 9.6. There is no known workaround for this issue.

AnalysisAI

Opencast is a free and open source solution for automated video capture and distribution. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Technical ContextAI

This vulnerability is classified under CWE-776. Opencast is a free and open source solution for automated video capture and distribution. Versions of Opencast prior to 9.6 are vulnerable to the billion laughs attack, which allows an attacker to easily execute a (seemingly permanent) denial of service attack, essentially taking down Opencast using a single HTTP request. To exploit this, users need to have ingest privileges, limiting the group of potential attackers The problem has been fixed in Opencast 9.6. There is no known workaround for this issue. Affected products include: Apereo Opencast. Version information: prior to 9.6.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

CVE-2021-43821 HIGH POC
7.7 Dec 14

Opencast is an Open Source Lecture Capture & Video Management for Education. Rated high severity (CVSS 7.7), this vulner

CVE-2017-1000221 MEDIUM POC
6.5 Nov 17

In Opencast 2.2.3 and older if user names overlap, the Opencast search service used for publication to the media modules

CVE-2021-43807 MEDIUM POC
6.5 Dec 14

Opencast is an Open Source Lecture Capture & Video Management for Education. Rated medium severity (CVSS 6.5), this vuln

CVE-2020-5231 MEDIUM POC
6.5 Jan 30

In Opencast before 7.6 and 8.1, users with the role ROLE_COURSE_ADMIN can use the user-utils endpoint to create new user

CVE-2020-5206 CRITICAL
10.0 Jan 30

In Opencast before 7.6 and 8.1, using a remember-me cookie with an arbitrary username can cause Opencast to assume prope

CVE-2017-1000217 HIGH
8.8 Nov 17

Opencast 2.3.2 and older versions are vulnerable to script injections through media and metadata in the player and media

CVE-2020-5222 HIGH
8.8 Jan 30

Opencast before 7.6 and 8.1 enables a remember-me cookie based on a hash created from the username, password, and an add

CVE-2020-5229 HIGH
8.1 Jan 30

Opencast before 8.1 stores passwords using the rather outdated and cryptographically insecure MD5 hash algorithm. Rated

CVE-2024-52797 HIGH
7.5 Nov 21

Opencast is free and open source software for automated video capture and distribution. Rated high severity (CVSS 7.5),

CVE-2020-5230 HIGH
7.5 Jan 30

Opencast before 8.1 and 7.6 allows almost arbitrary identifiers for media packages and elements to be used. Rated high s

CVE-2020-5228 HIGH
7.5 Jan 30

Opencast before 8.1 and 7.6 allows unauthorized public access to all media and metadata by default via OAI-PMH. Rated hi

CVE-2022-41965 MEDIUM
6.1 Nov 28

Opencast is a free, open-source platform to support the management of educational audio and video content. Rated medium

Share

CVE-2021-32623 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy