GHSA-w29m-fjp4-qhmq

Suggest an improvement
Source
https://github.com/advisories/GHSA-w29m-fjp4-qhmq
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/01/GHSA-w29m-fjp4-qhmq/GHSA-w29m-fjp4-qhmq.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-w29m-fjp4-qhmq
Aliases
Published
2020-01-30T21:21:50Z
Modified
2023-11-08T04:03:52.171604Z
Severity
  • 7.7 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N CVSS Calculator
Summary
Unsafe Identifiers in Opencast
Details

Impact

Opencast allows almost arbitrary identifiers for media packages and elements to be used. This can be problematic for operation and security since such identifiers are sometimes used for file system operations which may lead to an attacker being able to escape working directories and write files to other locations.

In addition, Opencast's Id.toString(…) vs Id.compact(…) behavior, the latter trying to mitigate some of the file system problems, can cause errors due to identifier mismatch since an identifier may unintentionally change.

Patches

This issue is fixed in Opencast 7.6 and 8.1.

Workarounds

There is no workaround for this.

For more information

If you have any questions or comments about this advisory:

  • Open an issue in opencast/opencast
  • For security-relevant information, email us at security@opencast.org
References

Affected packages

Maven / org.opencastproject:base

Package

Name
org.opencastproject:base
View open source insights on deps.dev
Purl
pkg:maven/org.opencastproject/base

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
7.6

Affected versions

6.*

6.6

7.*

7.2
7.3
7.4
7.5

Maven / org.opencastproject:base

Package

Name
org.opencastproject:base
View open source insights on deps.dev
Purl
pkg:maven/org.opencastproject/base

Affected ranges

Type
ECOSYSTEM
Events
Introduced
8.0
Fixed
8.1

Affected versions

8.*

8.0