Improper access control in Opencast - CVE-2021-21318
Published: February 18, 2021 / Updated: April 23, 2026
Vulnerability identifier: #VU127010
CSH Severity: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2021-21318
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Opencast
Opencast
Software vendor:
Apereo Foundation
Apereo Foundation
Description
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in search-service-impl when removing an event from a published series. A remote user can remove an episode to disclose sensitive information.
The issue can leave series metadata accessible with broader access rules than those of the remaining events, or keep series metadata available after all episodes in the series have been removed.
Remediation
Install security update from vendor's website.