GHSA-hcxx-mp6g-6gr9

Suggest an improvement
Source
https://github.com/advisories/GHSA-hcxx-mp6g-6gr9
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-hcxx-mp6g-6gr9/GHSA-hcxx-mp6g-6gr9.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-hcxx-mp6g-6gr9
Aliases
Published
2021-12-14T21:43:48Z
Modified
2023-12-14T22:31:19.863691Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
Opencast publishes global system account credentials
Details

The issue was mostly mitigated before, drastically reducing the risk. See references below for more information.

Impact

Opencast before version 10.6 will try to authenticate against any external services listed in a media package when it is trying to access the files, sending the global system user's credentials, regardless of the target being part of the Opencast cluster or not.

Previous mitigations already prevented clear text authentications for such requests (e.g. HTTP Basic authentication), but with enough malicious intent, even hashed credentials can be broken.

Patches

Opencast 10.6 will now send authentication requests only against servers which are part of the Opencast cluster, preventing external services from getting any form of authentication attempt in the first place.

Workarounds

No workaround available.

References

For more information

If you have any questions or comments about this advisory: - Open an issue in our issue tracker - Email us at security@opencast.org

Database specific
{
    "nvd_published_at": "2023-12-12T17:15:07Z",
    "cwe_ids": [
        "CWE-200",
        "CWE-522"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2021-12-14T15:51:41Z"
}
References

Affected packages

Maven / org.opencastproject:opencast-common

Package

Name
org.opencastproject:opencast-common
View open source insights on deps.dev
Purl
pkg:maven/org.opencastproject/opencast-common

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
10.6

Affected versions

6.*

6.6

7.*

7.2
7.3
7.4
7.5
7.6
7.7
7.8
7.9

8.*

8.0
8.1
8.3
8.4
8.5
8.6
8.7
8.8
8.9
8.10
8.11

9.*

9.0
9.1
9.2
9.3
9.4
9.5
9.6
9.7
9.9
9.10
9.11
9.12

10.*

10.0
10.1
10.2
10.3
10.4
10.5