CVE-2020-26234

Disabled Hostname Verification in OpenCast

Severity Score

4.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Opencast before versions 8.9 and 7.9 disables HTTPS hostname verification of its HTTP client used for a large portion of Opencast's HTTP requests. Hostname verification is an important part when using HTTPS to ensure that the presented certificate is valid for the host. Disabling it can allow for man-in-the-middle attacks. This problem is fixed in Opencast 7.9 and Opencast 8.8 Please be aware that fixing the problem means that Opencast will not simply accept any self-signed certificates any longer without properly importing them. If you need those, please make sure to import them into the Java key store. Better yet, get a valid certificate.

Opencast versiones anteriores a 8.9 y 7.9, deshabilita la verificación del nombre de host HTTPS de su cliente HTTP utilizado para una gran parte de las peticiones HTTP de Opencast. La verificación del nombre de host es una parte importante cuando se usa HTTPS para garantizar que el certificado presentado sea válido para el host. Deshabilitarlo puede permitir ataques de tipo man-in-the-middle. Este problema se corrigió en Opencast versión 7.9 y Opencast versión 8.8. Tome en cuenta que corregir el problema significa que Opencast ya no aceptará ningún certificado autofirmado sin importarlo apropiadamente. Si los necesita, asegúrese de importarlos al almacén de claves de Java. Mejor aún, obtenga un certificado válido

*Credits: N/A

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Attack Vector

Network

Attack Complexity

High

Authentication

Single

Confidentiality

None

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2020-10-01 CVE Reserved
2020-12-08 CVE Published
2023-03-08 EPSS Updated
2024-08-04 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-346: Origin Validation Error

CAPEC

References (2)

URL	Tag	Source
https://github.com/opencast/opencast/security/advisories/GHSA-44cw-p2hm-gpf6	Third Party Advisory

URL	Date	SRC

URL	Date	SRC
https://github.com/opencast/opencast/commit/4225bf90af74557deaf8fb6b80b0705c9621acfc	2020-12-10

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Apereo Search vendor "Apereo"		Opencast Search vendor "Apereo" for product "Opencast"				< 7.9 Search vendor "Apereo" for product "Opencast" and version " < 7.9"		-		Affected
Apereo Search vendor "Apereo"		Opencast Search vendor "Apereo" for product "Opencast"				>= 8.0 < 8.9 Search vendor "Apereo" for product "Opencast" and version " >= 8.0 < 8.9"		-		Affected