GHSA-44cw-p2hm-gpf6

Suggest an improvement
Source
https://github.com/advisories/GHSA-44cw-p2hm-gpf6
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/12/GHSA-44cw-p2hm-gpf6/GHSA-44cw-p2hm-gpf6.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-44cw-p2hm-gpf6
Aliases
Published
2020-12-08T22:37:59Z
Modified
2023-11-01T04:52:43.432018Z
Severity
  • 4.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N CVSS Calculator
Summary
Disabled Hostname Verification in Opencast
Details

Opencast before version 8.9 and 7.9 disables HTTPS hostname verification of its HTTP client used for a large portion of Opencast's HTTP requests.

Hostname verification is an important part when using HTTPS to ensure that the presented certificate is valid for the host. Disabling it can allow for man-in-the-middle attacks.

Patches

This problem is fixed in Opencast 7.9 and Opencast 8.9

Self-Signed Certificates

Please be aware that fixing the problem means that Opencast will not simply accept any self-signed certificates any longer without properly importing them. If you need those, please make sure to import them into the Java key store. Better yet, get a valid certificate e.g. from Let's Encrypt.

Database specific
{
    "nvd_published_at": null,
    "github_reviewed_at": "2020-12-08T22:37:44Z",
    "severity": "HIGH",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-297"
    ]
}
References

Affected packages

Maven / org.opencastproject:opencast-kernel

Package

Name
org.opencastproject:opencast-kernel
View open source insights on deps.dev
Purl
pkg:maven/org.opencastproject/opencast-kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
7.9

Affected versions

6.*

6.6

7.*

7.2
7.3
7.4
7.5
7.6
7.7
7.8

Maven / org.opencastproject:opencast-kernel

Package

Name
org.opencastproject:opencast-kernel
View open source insights on deps.dev
Purl
pkg:maven/org.opencastproject/opencast-kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
8.0
Fixed
8.9

Affected versions

8.*

8.0
8.1
8.3
8.4
8.5
8.6
8.7
8.8