CVE-2021-32623 – Opencast vulnerable to billion laughs attack (XML bomb)
https://notcve.org/view.php?id=CVE-2021-32623
Opencast is a free and open source solution for automated video capture and distribution. Versions of Opencast prior to 9.6 are vulnerable to the billion laughs attack, which allows an attacker to easily execute a (seemingly permanent) denial of service attack, essentially taking down Opencast using a single HTTP request. To exploit this, users need to have ingest privileges, limiting the group of potential attackers The problem has been fixed in Opencast 9.6. There is no known workaround for this issue. Opencast es una solución gratuita y de código abierto para la captura y distribución automática de vídeo. • https://github.com/opencast/opencast/commit/8ae27da5a6f658011a5741b3210e715b0dc6213e https://github.com/opencast/opencast/security/advisories/GHSA-9gwx-9cwp-5c2m • CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') •
CVE-2021-21318 – Removing access may not effect published series
https://notcve.org/view.php?id=CVE-2021-21318
Opencast is a free, open-source platform to support the management of educational audio and video content. In Opencast before version 9.2 there is a vulnerability in which publishing an episode with strict access rules will overwrite the currently set series access. This allows for an easy denial of access for all users without superuser privileges, effectively hiding the series. Access to series and series metadata on the search service (shown in media module and player) depends on the events published which are part of the series. Publishing an event will automatically publish a series and update access to it. • https://github.com/opencast/opencast/commit/b18c6a7f81f08ed14884592a6c14c9ab611ad450 https://github.com/opencast/opencast/security/advisories/GHSA-vpc2-3wcv-qj4w • CWE-863: Incorrect Authorization •
CVE-2020-26234 – Disabled Hostname Verification in OpenCast
https://notcve.org/view.php?id=CVE-2020-26234
Opencast before versions 8.9 and 7.9 disables HTTPS hostname verification of its HTTP client used for a large portion of Opencast's HTTP requests. Hostname verification is an important part when using HTTPS to ensure that the presented certificate is valid for the host. Disabling it can allow for man-in-the-middle attacks. This problem is fixed in Opencast 7.9 and Opencast 8.8 Please be aware that fixing the problem means that Opencast will not simply accept any self-signed certificates any longer without properly importing them. If you need those, please make sure to import them into the Java key store. • https://github.com/opencast/opencast/commit/4225bf90af74557deaf8fb6b80b0705c9621acfc https://github.com/opencast/opencast/security/advisories/GHSA-44cw-p2hm-gpf6 • CWE-346: Origin Validation Error •
CVE-2020-5206 – Authentication Bypass For Endpoints With Anonymous Access in OpenCast
https://notcve.org/view.php?id=CVE-2020-5206
In Opencast before 7.6 and 8.1, using a remember-me cookie with an arbitrary username can cause Opencast to assume proper authentication for that user even if the remember-me cookie was incorrect given that the attacked endpoint also allows anonymous access. This way, an attacker can, for example, fake a remember-me token, assume the identity of the global system administrator and request non-public content from the search service without ever providing any proper authentication. This problem is fixed in Opencast 7.6 and Opencast 8.1 En Opencast versiones anteriores a 7.6 y 8.1, usando una cookie remember-me con un nombre de usuario arbitrario puede causar que Opencast asuma una autenticación apropiada para ese usuario, inclusive si la cookie remember-me era incorrecta, dado que el endpoint atacado también permite el acceso anónimo. De esta forma, un atacante puede, por ejemplo, falsificar un token de remember-me, asumir la identidad del administrador del sistema global y solicitar contenido no público desde el servicio de búsqueda sin proporcionar una autenticación adecuada. Este problema se corrigió en Opencast versión 7.6 y Opencast versión 8.1. • https://github.com/opencast/opencast/commit/b157e1fb3b35991ca7bf59f0730329fbe7ce82e8 https://github.com/opencast/opencast/security/advisories/GHSA-vmm6-w4cf-7f3x • CWE-285: Improper Authorization CWE-287: Improper Authentication •
CVE-2020-5231 – Opencast users with ROLE_COURSE_ADMIN can create new users
https://notcve.org/view.php?id=CVE-2020-5231
In Opencast before 7.6 and 8.1, users with the role ROLE_COURSE_ADMIN can use the user-utils endpoint to create new users not including the role ROLE_ADMIN. ROLE_COURSE_ADMIN is a non-standard role in Opencast which is referenced neither in the documentation nor in any code (except for tests) but only in the security configuration. From the name – implying an admin for a specific course – users would never expect that this role allows user creation. This issue is fixed in 7.6 and 8.1 which both ship a new default security configuration. En Opencast anterior a las versiones 7.6 y 8.1, los usuarios con el rol ROLE_COURSE_ADMIN pueden usar el punto final user-utils para crear nuevos usuarios sin incluir el rol ROLE_ADMIN. • https://github.com/opencast/opencast/commit/72fad0031d8a82c860e2bde0b27570c5042320ee https://github.com/opencast/opencast/security/advisories/GHSA-94qw-r73x-j7hg • CWE-276: Incorrect Default Permissions CWE-285: Improper Authorization •