CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 0CVE-2020-27178
https://notcve.org/view.php?id=CVE-2020-27178
Apereo CAS 5.3.x before 5.3.16, 6.x before 6.1.7.2, 6.2.x before 6.2.4, and 6.3.x before 6.3.0-RC4 mishandles secret keys with Google Authenticator for multifactor authentication. Apereo CAS versiones 5.3.x anteriores a 5.3.16, versiones 6.x anteriores a 6.1.7.2, versiones 6.2.x anteriores a 6.2.4 y versiones 6.3.x anteriores a 6.3.0-RC4, maneja inapropiadamente las claves secretas con Google Authenticator para la autenticación multifactor • https://apereo.github.io/2020/10/14/gauthvuln •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 0CVE-2020-5206 – Authentication Bypass For Endpoints With Anonymous Access in OpenCast
https://notcve.org/view.php?id=CVE-2020-5206
In Opencast before 7.6 and 8.1, using a remember-me cookie with an arbitrary username can cause Opencast to assume proper authentication for that user even if the remember-me cookie was incorrect given that the attacked endpoint also allows anonymous access. This way, an attacker can, for example, fake a remember-me token, assume the identity of the global system administrator and request non-public content from the search service without ever providing any proper authentication. This problem is fixed in Opencast 7.6 and Opencast 8.1 En Opencast versiones anteriores a 7.6 y 8.1, usando una cookie remember-me con un nombre de usuario arbitrario puede causar que Opencast asuma una autenticación apropiada para ese usuario, inclusive si la cookie remember-me era incorrecta, dado que el endpoint atacado también permite el acceso anónimo. De esta forma, un atacante puede, por ejemplo, falsificar un token de remember-me, asumir la identidad del administrador del sistema global y solicitar contenido no público desde el servicio de búsqueda sin proporcionar una autenticación adecuada. Este problema se corrigió en Opencast versión 7.6 y Opencast versión 8.1. • https://github.com/opencast/opencast/commit/b157e1fb3b35991ca7bf59f0730329fbe7ce82e8 https://github.com/opencast/opencast/security/advisories/GHSA-vmm6-w4cf-7f3x • CWE-285: Improper Authorization CWE-287: Improper Authentication •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 1CVE-2020-5231 – Opencast users with ROLE_COURSE_ADMIN can create new users
https://notcve.org/view.php?id=CVE-2020-5231
In Opencast before 7.6 and 8.1, users with the role ROLE_COURSE_ADMIN can use the user-utils endpoint to create new users not including the role ROLE_ADMIN. ROLE_COURSE_ADMIN is a non-standard role in Opencast which is referenced neither in the documentation nor in any code (except for tests) but only in the security configuration. From the name – implying an admin for a specific course – users would never expect that this role allows user creation. This issue is fixed in 7.6 and 8.1 which both ship a new default security configuration. En Opencast anterior a las versiones 7.6 y 8.1, los usuarios con el rol ROLE_COURSE_ADMIN pueden usar el punto final user-utils para crear nuevos usuarios sin incluir el rol ROLE_ADMIN. • https://github.com/opencast/opencast/commit/72fad0031d8a82c860e2bde0b27570c5042320ee https://github.com/opencast/opencast/security/advisories/GHSA-94qw-r73x-j7hg • CWE-276: Incorrect Default Permissions CWE-285: Improper Authorization •
CVSS: 7.7EPSS: 0%CPEs: 2EXPL: 0CVE-2020-5230 – Opencast uses unsafe identifiers
https://notcve.org/view.php?id=CVE-2020-5230
Opencast before 8.1 and 7.6 allows almost arbitrary identifiers for media packages and elements to be used. This can be problematic for operation and security since such identifiers are sometimes used for file system operations which may lead to an attacker being able to escape working directories and write files to other locations. In addition, Opencast's Id.toString(…) vs Id.compact(…) behavior, the latter trying to mitigate some of the file system problems, can cause errors due to identifier mismatch since an identifier may unintentionally change. This issue is fixed in Opencast 7.6 and 8.1. Opencast anterior a las versiones 8.1 y 7.6 permite utilizar identificadores casi arbitrarios para paquetes y elementos de medios. • https://github.com/opencast/opencast/commit/bbb473f34ab95497d6c432c81285efb0c739f317 https://github.com/opencast/opencast/security/advisories/GHSA-w29m-fjp4-qhmq • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-99: Improper Control of Resource Identifiers ('Resource Injection') •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2020-5222 – Hard-Coded Key Used For Remember-me Token in OpenCast
https://notcve.org/view.php?id=CVE-2020-5222
Opencast before 7.6 and 8.1 enables a remember-me cookie based on a hash created from the username, password, and an additional system key. This means that an attacker getting access to a remember-me token for one server can get access to all servers which allow log-in using the same credentials without ever needing the credentials. This problem is fixed in Opencast 7.6 and Opencast 8.1 Opencast versiones anteriores a 7.6 y 8.1, habilita una cookie remember-me basada en un hash creado a partir del nombre de usuario, contraseña y una clave de sistema adicional. Esto significa que un atacante que obtiene acceso a un token remember-me para un servidor puede obtener acceso a todos los servidores que permiten el inicio de sesión con las mismas credenciales sin necesidad alguna de las credenciales. Este problema se corrigió en Opencast versión 7.6 y Opencast versión 8.1. • https://github.com/opencast/opencast/commit/1a7172c95af8d542a77ae5b153e4c834dd4788a6 https://github.com/opencast/opencast/security/advisories/GHSA-mh8g-hprg-8363 • CWE-798: Use of Hard-coded Credentials •