Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2020-5228

Opencast before 8.1 and 7.6 allows unauthorized public access to all media and metadata by default via OAI-PMH. OAI-PMH is part of the default workflow and is activated by default, requiring active user intervention of users to protect media. This leads to users unknowingly handing out public access to events without their knowledge. The problem has been addressed in Opencast 7.6 and 8.1 where the OAI-PMH endpoint is configured to require users with `ROLE_ADMIN` by default. In addition to this, Opencast 9 removes the OAI-PMH publication from the default workflow, making the publication a conscious decision users have to make by updating their workflows.

Published

2020-01-30T20:15:10.310

Last Modified

2024-11-21T05:33:43.257

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 7.6 (HIGH)

CVSSv2 Vector

AV:N/AC:L/Au:N/C:P/I:N/A:N

Access Vector: NETWORK
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: NONE
Availability Impact: NONE

Exploitability Score

10.0

Impact Score

2.9

Weaknesses

Type: Secondary
CWE-862
Type: Primary
CWE-862

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	apereo	opencast	< 7.6	Yes
Application	apereo	opencast	8.0	Yes

References

https://github.com/opencast/opencast/blob/1fb812c7810c78f09f29a7f455ff920417924307/etc/security/mh_default_org.xml#L271-L276 Patch ([email protected])
https://github.com/opencast/opencast/security/advisories/GHSA-6f54-3qr9-pjgj Mitigation, Third Party Advisory ([email protected])
https://github.com/opencast/opencast/blob/1fb812c7810c78f09f29a7f455ff920417924307/etc/security/mh_default_org.xml#L271-L276 Patch (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/opencast/opencast/security/advisories/GHSA-6f54-3qr9-pjgj Mitigation, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)