CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-21318 – Removing access may not effect published series
https://notcve.org/view.php?id=CVE-2021-21318
Opencast is a free, open-source platform to support the management of educational audio and video content. In Opencast before version 9.2 there is a vulnerability in which publishing an episode with strict access rules will overwrite the currently set series access. This allows for an easy denial of access for all users without superuser privileges, effectively hiding the series. Access to series and series metadata on the search service (shown in media module and player) depends on the events published which are part of the series. Publishing an event will automatically publish a series and update access to it. • https://github.com/opencast/opencast/commit/b18c6a7f81f08ed14884592a6c14c9ab611ad450 https://github.com/opencast/opencast/security/advisories/GHSA-vpc2-3wcv-qj4w • CWE-863: Incorrect Authorization •
CVSS: 4.8EPSS: 0%CPEs: 2EXPL: 0CVE-2020-26234 – Disabled Hostname Verification in OpenCast
https://notcve.org/view.php?id=CVE-2020-26234
Opencast before versions 8.9 and 7.9 disables HTTPS hostname verification of its HTTP client used for a large portion of Opencast's HTTP requests. Hostname verification is an important part when using HTTPS to ensure that the presented certificate is valid for the host. Disabling it can allow for man-in-the-middle attacks. This problem is fixed in Opencast 7.9 and Opencast 8.8 Please be aware that fixing the problem means that Opencast will not simply accept any self-signed certificates any longer without properly importing them. If you need those, please make sure to import them into the Java key store. • https://github.com/opencast/opencast/commit/4225bf90af74557deaf8fb6b80b0705c9621acfc https://github.com/opencast/opencast/security/advisories/GHSA-44cw-p2hm-gpf6 • CWE-346: Origin Validation Error •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 0CVE-2020-5206 – Authentication Bypass For Endpoints With Anonymous Access in OpenCast
https://notcve.org/view.php?id=CVE-2020-5206
In Opencast before 7.6 and 8.1, using a remember-me cookie with an arbitrary username can cause Opencast to assume proper authentication for that user even if the remember-me cookie was incorrect given that the attacked endpoint also allows anonymous access. This way, an attacker can, for example, fake a remember-me token, assume the identity of the global system administrator and request non-public content from the search service without ever providing any proper authentication. This problem is fixed in Opencast 7.6 and Opencast 8.1 En Opencast versiones anteriores a 7.6 y 8.1, usando una cookie remember-me con un nombre de usuario arbitrario puede causar que Opencast asuma una autenticación apropiada para ese usuario, inclusive si la cookie remember-me era incorrecta, dado que el endpoint atacado también permite el acceso anónimo. De esta forma, un atacante puede, por ejemplo, falsificar un token de remember-me, asumir la identidad del administrador del sistema global y solicitar contenido no público desde el servicio de búsqueda sin proporcionar una autenticación adecuada. Este problema se corrigió en Opencast versión 7.6 y Opencast versión 8.1. • https://github.com/opencast/opencast/commit/b157e1fb3b35991ca7bf59f0730329fbe7ce82e8 https://github.com/opencast/opencast/security/advisories/GHSA-vmm6-w4cf-7f3x • CWE-285: Improper Authorization CWE-287: Improper Authentication •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 1CVE-2020-5231 – Opencast users with ROLE_COURSE_ADMIN can create new users
https://notcve.org/view.php?id=CVE-2020-5231
In Opencast before 7.6 and 8.1, users with the role ROLE_COURSE_ADMIN can use the user-utils endpoint to create new users not including the role ROLE_ADMIN. ROLE_COURSE_ADMIN is a non-standard role in Opencast which is referenced neither in the documentation nor in any code (except for tests) but only in the security configuration. From the name – implying an admin for a specific course – users would never expect that this role allows user creation. This issue is fixed in 7.6 and 8.1 which both ship a new default security configuration. En Opencast anterior a las versiones 7.6 y 8.1, los usuarios con el rol ROLE_COURSE_ADMIN pueden usar el punto final user-utils para crear nuevos usuarios sin incluir el rol ROLE_ADMIN. • https://github.com/opencast/opencast/commit/72fad0031d8a82c860e2bde0b27570c5042320ee https://github.com/opencast/opencast/security/advisories/GHSA-94qw-r73x-j7hg • CWE-276: Incorrect Default Permissions CWE-285: Improper Authorization •
CVSS: 7.7EPSS: 0%CPEs: 2EXPL: 0CVE-2020-5230 – Opencast uses unsafe identifiers
https://notcve.org/view.php?id=CVE-2020-5230
Opencast before 8.1 and 7.6 allows almost arbitrary identifiers for media packages and elements to be used. This can be problematic for operation and security since such identifiers are sometimes used for file system operations which may lead to an attacker being able to escape working directories and write files to other locations. In addition, Opencast's Id.toString(…) vs Id.compact(…) behavior, the latter trying to mitigate some of the file system problems, can cause errors due to identifier mismatch since an identifier may unintentionally change. This issue is fixed in Opencast 7.6 and 8.1. Opencast anterior a las versiones 8.1 y 7.6 permite utilizar identificadores casi arbitrarios para paquetes y elementos de medios. • https://github.com/opencast/opencast/commit/bbb473f34ab95497d6c432c81285efb0c739f317 https://github.com/opencast/opencast/security/advisories/GHSA-w29m-fjp4-qhmq • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-99: Improper Control of Resource Identifiers ('Resource Injection') •