CVE-2020-5228 - OpenCVE

Opencast before 8.1 and 7.6 allows unauthorized public access to all media and metadata by default via OAI-PMH. OAI-PMH is part of the default workflow and is activated by default, requiring active user intervention of users to protect media. This leads to users unknowingly handing out public access to events without their knowledge. The problem has been addressed in Opencast 7.6 and 8.1 where the OAI-PMH endpoint is configured to require users with `ROLE_ADMIN` by default. In addition to this, Opencast 9 removes the OAI-PMH publication from the default workflow, making the publication a conscious decision users have to make by updating their workflows.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Apereo	Opencast

Configuration 1 [-]

OR	cpe:2.3:a:apereo:opencast::::::::
	cpe:2.3:a:apereo:opencast:8.0:::::::*

References

Link	Resource
https://github.com/opencast/opencast/blob/1fb812c7810c78f09f29a7f455ff920417924307/etc/security/mh_default_org.xml#L271-L276	Patch
https://github.com/opencast/opencast/security/advisories/GHSA-6f54-3qr9-pjgj	Mitigation Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: GitHub_M

Published: 2020-01-30T19:50:13

Updated: 2020-01-30T19:50:13

Reserved: 2020-01-02T00:00:00

Link: CVE-2020-5228

JSON object: View

NVD Information

Status : Analyzed

Published: 2020-01-30T20:15:10.310

Modified: 2020-02-05T20:55:20.207

Link: CVE-2020-5228

JSON object: View

Redhat Information

No data.

CWE

CWE-862

{"containers": {"cna": {"affected": [{"product": "opencast", "vendor": "opencast", "versions": [{"status": "affected", "version": "< 7.6"}, {"status": "affected", "version": ">= 8.0, < 8.1"}]}], "descriptions": [{"lang": "en", "value": "Opencast before 8.1 and 7.6 allows unauthorized public access to all media and metadata by default via OAI-PMH. OAI-PMH is part of the default workflow and is activated by default, requiring active user intervention of users to protect media. This leads to users unknowingly handing out public access to events without their knowledge. The problem has been addressed in Opencast 7.6 and 8.1 where the OAI-PMH endpoint is configured to require users with `ROLE_ADMIN` by default. In addition to this, Opencast 9 removes the OAI-PMH publication from the default workflow, making the publication a conscious decision users have to make by updating their workflows."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "CWE-862: Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-01-30T19:50:13", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/opencast/opencast/security/advisories/GHSA-6f54-3qr9-pjgj"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/opencast/opencast/blob/1fb812c7810c78f09f29a7f455ff920417924307/etc/security/mh_default_org.xml#L271-L276"}], "source": {"advisory": "GHSA-6f54-3qr9-pjgj", "discovery": "UNKNOWN"}, "title": "Opencast allows unauthorized public access via OAI-PMH", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2020-5228", "STATE": "PUBLIC", "TITLE": "Opencast allows unauthorized public access via OAI-PMH"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "opencast", "version": {"version_data": [{"version_value": "< 7.6"}, {"version_value": ">= 8.0, < 8.1"}]}}]}, "vendor_name": "opencast"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Opencast before 8.1 and 7.6 allows unauthorized public access to all media and metadata by default via OAI-PMH. OAI-PMH is part of the default workflow and is activated by default, requiring active user intervention of users to protect media. This leads to users unknowingly handing out public access to events without their knowledge. The problem has been addressed in Opencast 7.6 and 8.1 where the OAI-PMH endpoint is configured to require users with `ROLE_ADMIN` by default. In addition to this, Opencast 9 removes the OAI-PMH publication from the default workflow, making the publication a conscious decision users have to make by updating their workflows."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-862: Missing Authorization"}]}]}, "references": {"reference_data": [{"name": "https://github.com/opencast/opencast/security/advisories/GHSA-6f54-3qr9-pjgj", "refsource": "CONFIRM", "url": "https://github.com/opencast/opencast/security/advisories/GHSA-6f54-3qr9-pjgj"}, {"name": "https://github.com/opencast/opencast/blob/1fb812c7810c78f09f29a7f455ff920417924307/etc/security/mh_default_org.xml#L271-L276", "refsource": "MISC", "url": "https://github.com/opencast/opencast/blob/1fb812c7810c78f09f29a7f455ff920417924307/etc/security/mh_default_org.xml#L271-L276"}]}, "source": {"advisory": "GHSA-6f54-3qr9-pjgj", "discovery": "UNKNOWN"}}}}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2020-5228", "datePublished": "2020-01-30T19:50:13", "dateReserved": "2020-01-02T00:00:00", "dateUpdated": "2020-01-30T19:50:13", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apereo:opencast:*:*:*:*:*:*:*:*", "matchCriteriaId": "7056094F-6E63-4BFB-B8A3-125746BA882C", "versionEndExcluding": "7.6", "vulnerable": true}, {"criteria": "cpe:2.3:a:apereo:opencast:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "4A82AABB-ACF6-4017-99E8-4DA90CE416D7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Opencast before 8.1 and 7.6 allows unauthorized public access to all media and metadata by default via OAI-PMH. OAI-PMH is part of the default workflow and is activated by default, requiring active user intervention of users to protect media. This leads to users unknowingly handing out public access to events without their knowledge. The problem has been addressed in Opencast 7.6 and 8.1 where the OAI-PMH endpoint is configured to require users with `ROLE_ADMIN` by default. In addition to this, Opencast 9 removes the OAI-PMH publication from the default workflow, making the publication a conscious decision users have to make by updating their workflows."}, {"lang": "es", "value": "Opencast versiones anteriores a 8.1 y 7.6, permite el acceso p\u00fablico no autorizado para todos los medios y metadatos por defecto por medio de OAI-PMH. OAI-PMH es parte del flujo de trabajo predeterminado y es activada por defecto, requiriendo la intervenci\u00f3n activa de los usuarios para proteger los medios. Esto conlleva a que los usuarios, sin saberlo, entreguen un acceso p\u00fablico a eventos sin su conocimiento. El problema ha sido abordado en Opencast versiones 7.6 y 8.1, donde el endpoint OAI-PMH es configurado para solicitar usuarios con \"ROLE_ADMIN\" por defecto. Adem\u00e1s de esto, Opencast versi\u00f3n 9 elimina la publicaci\u00f3n OAI-PMH del flujo de trabajo predeterminado, haciendo que la publicaci\u00f3n sea una decisi\u00f3n consciente que los usuarios tienen que tomar al actualizar sus flujos de trabajo."}], "id": "CVE-2020-5228", "lastModified": "2020-02-05T20:55:20.207", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 4.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2020-01-30T20:15:10.310", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/opencast/opencast/blob/1fb812c7810c78f09f29a7f455ff920417924307/etc/security/mh_default_org.xml#L271-L276"}, {"source": "security-advisories@github.com", "tags": ["Mitigation", "Third Party Advisory"], "url": "https://github.com/opencast/opencast/security/advisories/GHSA-6f54-3qr9-pjgj"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-862"}], "source": "security-advisories@github.com", "type": "Secondary"}]}