// For flags

CVE-2017-1000221

 

Severity Score

6.5
*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

1
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

In Opencast 2.2.3 and older if user names overlap, the Opencast search service used for publication to the media modules and players will handle the access control incorrectly so that users only need to match part of the user name used for the access restriction. For example, a user with the role ROLE_USER will have access to recordings published only for ROLE_USER_X.

En Opencast 2.2.3 y versiones anteriores, si se solapan nombres de usuario, el servicio de búsqueda de Opencast empleado para la publicación en los módulos multimedia gestionará el control de acceso de manera incorrecta, de forma que solo será necesario que los nombres de usuario correspondan con parte del nombre de usuario utilizado para la restricción de acceso. Por ejemplo, un usuario con el rol ROLE_USER tendrá acceso a las grabaciones publicadas solo para ROLE_USER_X.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
Attack Vector
Network
Attack Complexity
Low
Authentication
Single
Confidentiality
Partial
Integrity
None
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2017-11-17 CVE Reserved
  • 2017-11-17 CVE Published
  • 2024-09-16 CVE Updated
  • 2024-09-16 First Exploit
  • 2024-09-17 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-732: Incorrect Permission Assignment for Critical Resource
CAPEC
References (1)
URL Tag Source
URL Date SRC
https://opencast.jira.com/browse/MH-11862 2024-09-16
URL Date SRC
URL Date SRC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Apereo
Search vendor "Apereo"
 Opencast
Search vendor "Apereo" for product "Opencast"
 <= 2.2.3
Search vendor "Apereo" for product "Opencast" and version " <= 2.2.3"
-
Affected