CVSS: 7.7EPSS: 0%CPEs: 2EXPL: 0CVE-2020-5230 – Opencast uses unsafe identifiers
https://notcve.org/view.php?id=CVE-2020-5230
Opencast before 8.1 and 7.6 allows almost arbitrary identifiers for media packages and elements to be used. This can be problematic for operation and security since such identifiers are sometimes used for file system operations which may lead to an attacker being able to escape working directories and write files to other locations. In addition, Opencast's Id.toString(…) vs Id.compact(…) behavior, the latter trying to mitigate some of the file system problems, can cause errors due to identifier mismatch since an identifier may unintentionally change. This issue is fixed in Opencast 7.6 and 8.1. Opencast anterior a las versiones 8.1 y 7.6 permite utilizar identificadores casi arbitrarios para paquetes y elementos de medios. • https://github.com/opencast/opencast/commit/bbb473f34ab95497d6c432c81285efb0c739f317 https://github.com/opencast/opencast/security/advisories/GHSA-w29m-fjp4-qhmq • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-99: Improper Control of Resource Identifiers ('Resource Injection') •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2020-5222 – Hard-Coded Key Used For Remember-me Token in OpenCast
https://notcve.org/view.php?id=CVE-2020-5222
Opencast before 7.6 and 8.1 enables a remember-me cookie based on a hash created from the username, password, and an additional system key. This means that an attacker getting access to a remember-me token for one server can get access to all servers which allow log-in using the same credentials without ever needing the credentials. This problem is fixed in Opencast 7.6 and Opencast 8.1 Opencast versiones anteriores a 7.6 y 8.1, habilita una cookie remember-me basada en un hash creado a partir del nombre de usuario, contraseña y una clave de sistema adicional. Esto significa que un atacante que obtiene acceso a un token remember-me para un servidor puede obtener acceso a todos los servidores que permiten el inicio de sesión con las mismas credenciales sin necesidad alguna de las credenciales. Este problema se corrigió en Opencast versión 7.6 y Opencast versión 8.1. • https://github.com/opencast/opencast/commit/1a7172c95af8d542a77ae5b153e4c834dd4788a6 https://github.com/opencast/opencast/security/advisories/GHSA-mh8g-hprg-8363 • CWE-798: Use of Hard-coded Credentials •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2020-5229 – Opencast stores passwords using outdated MD5 hash algorithm
https://notcve.org/view.php?id=CVE-2020-5229
Opencast before 8.1 stores passwords using the rather outdated and cryptographically insecure MD5 hash algorithm. Furthermore, the hashes are salted using the username instead of a random salt, causing hashes for users with the same username and password to collide which is problematic especially for popular users like the default `admin` user. This essentially means that for an attacker, it might be feasible to reconstruct a user's password given access to these hashes. Note that attackers needing access to the hashes means that they must gain access to the database in which these are stored first to be able to start cracking the passwords. The problem is addressed in Opencast 8.1 which now uses the modern and much stronger bcrypt password hashing algorithm for storing passwords. • https://github.com/opencast/opencast/commit/32bfbe5f78e214e2d589f92050228b91d704758e https://github.com/opencast/opencast/security/advisories/GHSA-h362-m8f2-5x7c • CWE-327: Use of a Broken or Risky Cryptographic Algorithm •
CVSS: 7.6EPSS: 0%CPEs: 2EXPL: 0CVE-2020-5228 – Opencast allows unauthorized public access via OAI-PMH
https://notcve.org/view.php?id=CVE-2020-5228
Opencast before 8.1 and 7.6 allows unauthorized public access to all media and metadata by default via OAI-PMH. OAI-PMH is part of the default workflow and is activated by default, requiring active user intervention of users to protect media. This leads to users unknowingly handing out public access to events without their knowledge. The problem has been addressed in Opencast 7.6 and 8.1 where the OAI-PMH endpoint is configured to require users with `ROLE_ADMIN` by default. In addition to this, Opencast 9 removes the OAI-PMH publication from the default workflow, making the publication a conscious decision users have to make by updating their workflows. • https://github.com/opencast/opencast/blob/1fb812c7810c78f09f29a7f455ff920417924307/etc/security/mh_default_org.xml#L271-L276 https://github.com/opencast/opencast/security/advisories/GHSA-6f54-3qr9-pjgj • CWE-862: Missing Authorization •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2017-1000221
https://notcve.org/view.php?id=CVE-2017-1000221
In Opencast 2.2.3 and older if user names overlap, the Opencast search service used for publication to the media modules and players will handle the access control incorrectly so that users only need to match part of the user name used for the access restriction. For example, a user with the role ROLE_USER will have access to recordings published only for ROLE_USER_X. En Opencast 2.2.3 y versiones anteriores, si se solapan nombres de usuario, el servicio de búsqueda de Opencast empleado para la publicación en los módulos multimedia gestionará el control de acceso de manera incorrecta, de forma que solo será necesario que los nombres de usuario correspondan con parte del nombre de usuario utilizado para la restricción de acceso. Por ejemplo, un usuario con el rol ROLE_USER tendrá acceso a las grabaciones publicadas solo para ROLE_USER_X. • https://opencast.jira.com/browse/MH-11862 • CWE-732: Incorrect Permission Assignment for Critical Resource •