GHSA-3r48-3m8r-4r9w

Source

https://github.com/advisories/GHSA-3r48-3m8r-4r9w

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/03/GHSA-3r48-3m8r-4r9w/GHSA-3r48-3m8r-4r9w.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-3r48-3m8r-4r9w

Aliases

CVE-2023-28326

Published

2023-03-28T15:30:18Z

Modified

2023-11-08T04:12:09.838200Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Apache OpenMeetings missing authentication and can allow user impersonation

Details

The Apache Software Foundation's OpenMeetings from 2.0.0 before 7.0.0 is missing authentication on meeting invitation URLs. An invitation URL contains a hash that automatically logs in as the invited user. An unauthorized user could obtain this URL and log in to the meeting as an invited user, in effect elevating their privileges in the meeting room. OpenMeetings 7.0.0 disables this option if a contact is not selected.

Database specific

{
    "nvd_published_at": "2023-03-28T13:15:00Z",
    "github_reviewed_at": "2023-04-04T17:38:51Z",
    "severity": "CRITICAL",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-306"
    ]
}

References

Affected packages

Maven / org.apache.openmeetings:openmeetings-parent

Package

Name: org.apache.openmeetings:openmeetings-parent; View open source insights on deps.dev
Purl: pkg:maven/org.apache.openmeetings/openmeetings-parent

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.0.0

Fixed

7.0.0

Affected versions

3.*

3.1.2

3.1.3

3.1.4

3.1.5

3.2.0

3.2.1

3.3.0

3.3.1

3.3.2

4.*

4.0.0

4.0.1

4.0.3

4.0.4

4.0.5

4.0.6

4.0.7

4.0.9

4.0.10

4.0.11

5.*

5.0.0-M1

5.0.0-M2

5.0.0-M3

5.0.0-M4

5.0.0

5.1.0

6.*

6.2.0

6.3.0