Improper access control in Opencast - CVE-2022-29237
Published: May 19, 2022 / Updated: April 23, 2026
Vulnerability identifier: #VU127008
CSH Severity: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2022-29237
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Opencast
Opencast
Software vendor:
Apereo Foundation
Apereo Foundation
Description
The vulnerability allows a remote user to bypass organizational barriers.
The vulnerability exists due to improper access control in the ingest REST interface when importing media files from user-supplied URLs. A remote user can supply a URL to a file belonging to another organization to bypass organizational barriers.
Exploitation requires full access to the ingest REST interface and knowledge of internal links to resources in another organization of the same Opencast cluster. Only multi-tenant clusters are affected.
Remediation
Install security update from vendor's website.