Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2020-5230

Opencast before 8.1 and 7.6 allows almost arbitrary identifiers for media packages and elements to be used. This can be problematic for operation and security since such identifiers are sometimes used for file system operations which may lead to an attacker being able to escape working directories and write files to other locations. In addition, Opencast's Id.toString(…) vs Id.compact(…) behavior, the latter trying to mitigate some of the file system problems, can cause errors due to identifier mismatch since an identifier may unintentionally change. This issue is fixed in Opencast 7.6 and 8.1.

Published

2020-01-30T21:15:15.167

Last Modified

2024-11-21T05:33:43.470

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 7.7 (HIGH)

CVSSv2 Vector

AV:N/AC:L/Au:N/C:N/I:P/A:N

Access Vector: NETWORK
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: NONE
Integrity Impact: PARTIAL
Availability Impact: NONE

Exploitability Score

10.0

Impact Score

2.9

Weaknesses

Type: Secondary
CWE-99
Type: Primary
CWE-74

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	apereo	opencast	< 7.6	Yes
Application	apereo	opencast	8.0	Yes

References

https://github.com/opencast/opencast/commit/bbb473f34ab95497d6c432c81285efb0c739f317 Patch ([email protected])
https://github.com/opencast/opencast/security/advisories/GHSA-w29m-fjp4-qhmq Third Party Advisory ([email protected])
https://github.com/opencast/opencast/commit/bbb473f34ab95497d6c432c81285efb0c739f317 Patch (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/opencast/opencast/security/advisories/GHSA-w29m-fjp4-qhmq Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)