GHSA-vmm6-w4cf-7f3x

Source

https://github.com/advisories/GHSA-vmm6-w4cf-7f3x

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/01/GHSA-vmm6-w4cf-7f3x/GHSA-vmm6-w4cf-7f3x.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-vmm6-w4cf-7f3x

Aliases

CVE-2020-5206

Related

CVE-2020-5206

Published

2020-01-30T21:21:30Z

Modified

2023-11-08T04:03:51.253304Z

Severity

8.7 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N CVSS Calculator

Summary

Authentication Bypass For Endpoints With Anonymous Access in Opencast

Details

Impact

Using a remember-me cookie with an arbitrary username can cause Opencast to assume proper authentication for that user even if the remember-me cookie was incorrect given that the attacked endpoint also allows anonymous access.

This way, an attacker can, for example, fake a remember-me token, assume the identity of the global system administrator and request non-public content from the search service without ever providing any proper authentication.

Patches

This problem is fixed in Opencast 7.6 and Opencast 8.1

Workarounds

As a workaround for older, unpatched versions, disabling remember-me cookies in etc/security/mh_default_org.xml will mitigate the problem but will obviously also disable this feature without obvious indication. To deactivate this, remove the following line from the security configuration:

&lt;sec:remember-me … />

References

Remember-me cookie in the security configuration file

For more information

If you have any questions or comments about this advisory:

Open an issue in opencast/opencast
For security-relevant information, email us at security@opencast.org

Database specific

{
    "nvd_published_at": null,
    "github_reviewed_at": "2020-01-30T21:13:52Z",
    "severity": "CRITICAL",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-285"
    ]
}

References

Affected packages

Maven / org.opencastproject:opencast-kernel

Package

Name: org.opencastproject:opencast-kernel; View open source insights on deps.dev
Purl: pkg:maven/org.opencastproject/opencast-kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

7.6

Affected versions

6.*

6.6

7.*

7.2

7.3

7.4

7.5

Maven / org.opencastproject:opencast-kernel

Package

Name: org.opencastproject:opencast-kernel; View open source insights on deps.dev
Purl: pkg:maven/org.opencastproject/opencast-kernel

GHSA-vmm6-w4cf-7f3x

Impact

Patches

Workarounds

References

For more information

Affected packages

Maven / org.opencastproject:opencast-kernel

Package

Affected ranges

Affected versions

6.*

7.*

Maven / org.opencastproject:opencast-kernel

Package

Affected ranges

Affected versions

8.*