CVE-2020-5206
- Source
- https://cve.org/CVERecord?id=CVE-2020-5206
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-5206.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2020-5206
- Aliases
- Related
- Published
- 2020-01-30T22:15:10.093Z
- Modified
- 2026-04-11T13:53:18.836385Z
- Severity
-
- 10.0 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N CVSS Calculator
- Summary
- [none]
- Details
-
In Opencast before 7.6 and 8.1, using a remember-me cookie with an arbitrary username can cause Opencast to assume proper authentication for that user even if the remember-me cookie was incorrect given that the attacked endpoint also allows anonymous access. This way, an attacker can, for example, fake a remember-me token, assume the identity of the global system administrator and request non-public content from the search service without ever providing any proper authentication. This problem is fixed in Opencast 7.6 and Opencast 8.1
- References
Affected packages
Git / github.com/opencast/opencast
Affected ranges
- Type
- GIT
- Repo
- https://github.com/opencast/opencast
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedIntroduced0 Unknown introduced commit / All previous commits are affectedLast affectedFixed
- Database specific
{ "versions": [ { "introduced": "0" }, { "fixed": "7.6" }, { "introduced": "0" }, { "last_affected": "8.0" } ] }
Database specific
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-5206.json"
vanir_signatures_modified
"2026-04-11T13:53:18Z"
vanir_signatures
[
{
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/opencast/opencast/commit/b157e1fb3b35991ca7bf59f0730329fbe7ce82e8",
"digest": {
"function_hash": "167346135946564669046519915409421511479",
"length": 1295.0
},
"id": "CVE-2020-5206-512cd126",
"deprecated": false,
"target": {
"file": "modules/kernel/src/main/java/org/opencastproject/kernel/security/SecurityServiceSpringImpl.java",
"function": "getUser"
}
},
{
"signature_version": "v1",
"signature_type": "Line",
"source": "https://github.com/opencast/opencast/commit/b157e1fb3b35991ca7bf59f0730329fbe7ce82e8",
"digest": {
"threshold": 0.9,
"line_hashes": [
"75734271569501890742707772433482178339",
"9449146567902022179387120400375231962",
"26497533256406873041303374309956159704",
"297316715959913770141208720028423518536",
"297606026605268180059405808325019465599",
"243848335991179446238398700925076172114",
"314978509694484350818193829998104722191",
"273497479687732357750155179060993310467",
"93061623914477109868448453301859978307",
"54237984380871022123563447646474255136",
"56758462960864214513846614017296084741",
"68713570741423335150937093381461604945",
"248133498536070940049255215164087235288",
"71363555222591940687754051745369406245",
"198617838609609575598291077525213931328",
"3983025312276577579023255530653434805",
"45953953377927039865200941334146225818",
"231150002775214218949467454066609038781",
"162997854360279914929087427543946226373",
"257579352272766048081902690901959992461",
"91585432208515058336699489430221841564",
"56845993912443392280357661555440288217",
"144535471280545180173825053350102738412",
"328874135712492332490705915419693968116",
"68416579223047458720870837242649533353",
"33895084022467220835259949710458856719"
]
},
"id": "CVE-2020-5206-cb4ea6e9",
"deprecated": false,
"target": {
"file": "modules/kernel/src/main/java/org/opencastproject/kernel/security/SecurityServiceSpringImpl.java"
}
}
]