Skip to main content

Opencast CVE-2022-29237

MEDIUM
Improper Authentication (CWE-287)
2022-05-24 security-advisories@github.com
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
May 24, 2022 - 15:15 nvd
MEDIUM 5.4

DescriptionNVD

Opencast is a free and open source solution for automated video capture and distribution at scale. Prior to Opencast 10.14 and 11.7, users could pass along URLs for files belonging to organizations other than the user's own, which Opencast would then import into the current organization, bypassing organizational barriers. Attackers must have full access to Opencast's ingest REST interface, and also know internal links to resources in another organization of the same Opencast cluster. Users who do not run a multi-tenant cluster are not affected by this issue. This issue is fixed in Opencast 10.14 and 11.7.

AnalysisAI

Opencast is a free and open source solution for automated video capture and distribution at scale. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.

Technical ContextAI

This vulnerability is classified as Improper Authentication (CWE-287), which allows attackers to bypass authentication mechanisms to gain unauthorized access. Opencast is a free and open source solution for automated video capture and distribution at scale. Prior to Opencast 10.14 and 11.7, users could pass along URLs for files belonging to organizations other than the user's own, which Opencast would then import into the current organization, bypassing organizational barriers. Attackers must have full access to Opencast's ingest REST interface, and also know internal links to resources in another organization of the same Opencast cluster. Users who do not run a multi-tenant cluster are not affected by this issue. This issue is fixed in Opencast 10.14 and 11.7. Affected products include: Apereo Opencast.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Implement multi-factor authentication, enforce strong password policies, use proven authentication frameworks.

CVE-2021-43821 HIGH POC
7.7 Dec 14

Opencast is an Open Source Lecture Capture & Video Management for Education. Rated high severity (CVSS 7.7), this vulner

CVE-2017-1000221 MEDIUM POC
6.5 Nov 17

In Opencast 2.2.3 and older if user names overlap, the Opencast search service used for publication to the media modules

CVE-2021-43807 MEDIUM POC
6.5 Dec 14

Opencast is an Open Source Lecture Capture & Video Management for Education. Rated medium severity (CVSS 6.5), this vuln

CVE-2021-32623 MEDIUM POC
6.5 Jun 16

Opencast is a free and open source solution for automated video capture and distribution. Rated medium severity (CVSS 6.

CVE-2020-5231 MEDIUM POC
6.5 Jan 30

In Opencast before 7.6 and 8.1, users with the role ROLE_COURSE_ADMIN can use the user-utils endpoint to create new user

CVE-2020-5206 CRITICAL
10.0 Jan 30

In Opencast before 7.6 and 8.1, using a remember-me cookie with an arbitrary username can cause Opencast to assume prope

CVE-2017-1000217 HIGH
8.8 Nov 17

Opencast 2.3.2 and older versions are vulnerable to script injections through media and metadata in the player and media

CVE-2020-5222 HIGH
8.8 Jan 30

Opencast before 7.6 and 8.1 enables a remember-me cookie based on a hash created from the username, password, and an add

CVE-2020-5229 HIGH
8.1 Jan 30

Opencast before 8.1 stores passwords using the rather outdated and cryptographically insecure MD5 hash algorithm. Rated

CVE-2024-52797 HIGH
7.5 Nov 21

Opencast is free and open source software for automated video capture and distribution. Rated high severity (CVSS 7.5),

CVE-2020-5230 HIGH
7.5 Jan 30

Opencast before 8.1 and 7.6 allows almost arbitrary identifiers for media packages and elements to be used. Rated high s

CVE-2020-5228 HIGH
7.5 Jan 30

Opencast before 8.1 and 7.6 allows unauthorized public access to all media and metadata by default via OAI-PMH. Rated hi

Share

CVE-2022-29237 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy