SB2020012953 - Multiple vulnerabilities in Opencast
Published: January 29, 2020 Updated: April 23, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 6 vulnerabilities.
1) Improper access control (CVE-ID: CVE-2020-5231)
The vulnerability allows a remote user to create new users.
The vulnerability exists due to improper access control in the user-utils endpoint when handling user creation requests. A remote user can send a crafted PUT request to create new users.
The issue affects users assigned the ROLE_COURSE_ADMIN role.
2) Improper Authentication (CVE-ID: CVE-2020-5206)
The vulnerability allows a remote attacker to bypass authentication and access non-public content.
The vulnerability exists due to improper authentication in endpoints with anonymous access when processing a remember-me cookie with an arbitrary username. A remote attacker can supply a forged remember-me cookie to bypass authentication and access non-public content.
The issue occurs only for endpoints that allow anonymous access.
3) Use of hard-coded credentials (CVE-ID: CVE-2020-5222)
The vulnerability allows a remote attacker to gain unauthorized access to other servers.
The vulnerability exists due to use of a hard-coded cryptographic key in the remember-me token configuration in etc/security/mh_default_org.xml when validating remember-me authentication tokens. A remote attacker can reuse a compromised remember-me token from one server to gain unauthorized access to other servers.
The issue is particularly relevant in clustered deployments where multiple machines accept the same credentials.
4) Path traversal (CVE-ID: CVE-2020-5230)
The vulnerability allows a remote attacker to write files to unintended locations.
The vulnerability exists due to improper input validation in identifier handling for media packages and elements when using identifiers in file system operations. A remote attacker can supply a crafted identifier to write files to unintended locations.
5) Use of Password Hash With Insufficient Computational Effort (CVE-ID: CVE-2020-5229)
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to weak password hashing in password storage in opencast-kernel when an attacker has obtained password hashes from the database. A remote user can crack MD5 password hashes to disclose sensitive information.
The hashes are salted with the username instead of a random salt, which can cause identical hashes for users with the same username and password.
6) Improper access control (CVE-ID: CVE-2020-5228)
The vulnerability allows a remote attacker to disclose media and metadata.
The vulnerability exists due to improper access control in the OAI-PMH endpoint when handling unauthenticated requests. A remote attacker can access published media and metadata to disclose media and metadata.
OAI-PMH is part of the default workflow and is activated by default.
Remediation
Install update from vendor's website.
References
- https://github.com/opencast/opencast/security/advisories/GHSA-94qw-r73x-j7hg
- https://github.com/opencast/opencast/security/advisories/GHSA-vmm6-w4cf-7f3x
- https://github.com/advisories/GHSA-vmm6-w4cf-7f3x
- https://github.com/opencast/opencast/security/advisories/GHSA-mh8g-hprg-8363
- https://github.com/advisories/GHSA-mh8g-hprg-8363
- https://github.com/opencast/opencast/security/advisories/GHSA-w29m-fjp4-qhmq
- https://github.com/advisories/GHSA-w29m-fjp4-qhmq
- https://github.com/opencast/opencast/security/advisories/GHSA-h362-m8f2-5x7c
- https://github.com/opencast/opencast/security/advisories/GHSA-6f54-3qr9-pjgj