CVE-2020-5222 - OpenCVE

Opencast before 7.6 and 8.1 enables a remember-me cookie based on a hash created from the username, password, and an additional system key. This means that an attacker getting access to a remember-me token for one server can get access to all servers which allow log-in using the same credentials without ever needing the credentials. This problem is fixed in Opencast 7.6 and Opencast 8.1

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:S/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Apereo	Opencast

Configuration 1 [-]

OR	cpe:2.3:a:apereo:opencast::::::::
	cpe:2.3:a:apereo:opencast:8.0:::::::*

References

Link	Resource
https://github.com/opencast/opencast/commit/1a7172c95af8d542a77ae5b153e4c834dd4788a6	Patch
https://github.com/opencast/opencast/security/advisories/GHSA-mh8g-hprg-8363	Mitigation Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: GitHub_M

Published: 2020-01-30T20:50:13

Updated: 2020-01-30T20:50:13

Reserved: 2020-01-02T00:00:00

Link: CVE-2020-5222

JSON object: View

NVD Information

Status : Analyzed

Published: 2020-01-30T21:15:14.980

Modified: 2020-02-05T18:51:49.603

Link: CVE-2020-5222

JSON object: View

Redhat Information

No data.

CWE

CWE-798

{"containers": {"cna": {"affected": [{"product": "opencast", "vendor": "opencast", "versions": [{"status": "affected", "version": "< 7.6"}, {"status": "affected", "version": ">= 8.0, < 8.1"}]}], "descriptions": [{"lang": "en", "value": "Opencast before 7.6 and 8.1 enables a remember-me cookie based on a hash created from the username, password, and an additional system key. This means that an attacker getting access to a remember-me token for one server can get access to all servers which allow log-in using the same credentials without ever needing the credentials. This problem is fixed in Opencast 7.6 and Opencast 8.1"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-798", "description": "CWE-798 Use of Hard-coded Credentials", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-01-30T20:50:13", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/opencast/opencast/security/advisories/GHSA-mh8g-hprg-8363"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/opencast/opencast/commit/1a7172c95af8d542a77ae5b153e4c834dd4788a6"}], "source": {"advisory": "GHSA-mh8g-hprg-8363", "discovery": "UNKNOWN"}, "title": "Hard-Coded Key Used For Remember-me Token in OpenCast", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2020-5222", "STATE": "PUBLIC", "TITLE": "Hard-Coded Key Used For Remember-me Token in OpenCast"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "opencast", "version": {"version_data": [{"version_value": "< 7.6"}, {"version_value": ">= 8.0, < 8.1"}]}}]}, "vendor_name": "opencast"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Opencast before 7.6 and 8.1 enables a remember-me cookie based on a hash created from the username, password, and an additional system key. This means that an attacker getting access to a remember-me token for one server can get access to all servers which allow log-in using the same credentials without ever needing the credentials. This problem is fixed in Opencast 7.6 and Opencast 8.1"}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-798 Use of Hard-coded Credentials"}]}]}, "references": {"reference_data": [{"name": "https://github.com/opencast/opencast/security/advisories/GHSA-mh8g-hprg-8363", "refsource": "CONFIRM", "url": "https://github.com/opencast/opencast/security/advisories/GHSA-mh8g-hprg-8363"}, {"name": "https://github.com/opencast/opencast/commit/1a7172c95af8d542a77ae5b153e4c834dd4788a6", "refsource": "MISC", "url": "https://github.com/opencast/opencast/commit/1a7172c95af8d542a77ae5b153e4c834dd4788a6"}]}, "source": {"advisory": "GHSA-mh8g-hprg-8363", "discovery": "UNKNOWN"}}}}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2020-5222", "datePublished": "2020-01-30T20:50:13", "dateReserved": "2020-01-02T00:00:00", "dateUpdated": "2020-01-30T20:50:13", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apereo:opencast:*:*:*:*:*:*:*:*", "matchCriteriaId": "7056094F-6E63-4BFB-B8A3-125746BA882C", "versionEndExcluding": "7.6", "vulnerable": true}, {"criteria": "cpe:2.3:a:apereo:opencast:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "4A82AABB-ACF6-4017-99E8-4DA90CE416D7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Opencast before 7.6 and 8.1 enables a remember-me cookie based on a hash created from the username, password, and an additional system key. This means that an attacker getting access to a remember-me token for one server can get access to all servers which allow log-in using the same credentials without ever needing the credentials. This problem is fixed in Opencast 7.6 and Opencast 8.1"}, {"lang": "es", "value": "Opencast versiones anteriores a 7.6 y 8.1, habilita una cookie remember-me basada en un hash creado a partir del nombre de usuario, contrase\u00f1a y una clave de sistema adicional. Esto significa que un atacante que obtiene acceso a un token remember-me para un servidor puede obtener acceso a todos los servidores que permiten el inicio de sesi\u00f3n con las mismas credenciales sin necesidad alguna de las credenciales. Este problema se corrigi\u00f3 en Opencast versi\u00f3n 7.6 y Opencast versi\u00f3n 8.1."}], "id": "CVE-2020-5222", "lastModified": "2020-02-05T18:51:49.603", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2020-01-30T21:15:14.980", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/opencast/opencast/commit/1a7172c95af8d542a77ae5b153e4c834dd4788a6"}, {"source": "security-advisories@github.com", "tags": ["Mitigation", "Third Party Advisory"], "url": "https://github.com/opencast/opencast/security/advisories/GHSA-mh8g-hprg-8363"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-798"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-798"}], "source": "security-advisories@github.com", "type": "Secondary"}]}