GHSA-qm6v-cg9v-53j3

Suggest an improvement
Source
https://github.com/advisories/GHSA-qm6v-cg9v-53j3
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-qm6v-cg9v-53j3/GHSA-qm6v-cg9v-53j3.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-qm6v-cg9v-53j3
Aliases
Published
2022-05-25T20:16:36Z
Modified
2023-11-01T04:58:43.489572Z
Severity
  • 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
Summary
Limited Authentication Bypass for Media Files
Details

Prior to Opencast 10.14 and 11.7, users could pass along URLs for files belonging to organizations other than the user's own, which Opencast would then import into the current organization, bypassing organizational barriers.

Impact

The vulnerability allows attackers to bypass organizational barriers. Attackers must have full access to Opencast's ingest REST interface, and also know internal links to resources in another organization of the same Opencast cluster.

If you do not run a multi-tenant cluster, you are not affected by this issue.

Patches

This issue is fixed in Opencast 10.14 and 11.7.

References

For more information

If you have any questions or comments about this advisory: * Open an issue in our issue tracker * Email us at security@opencast.org

Database specific
{
    "nvd_published_at": "2022-05-24T15:15:00Z",
    "github_reviewed_at": "2022-05-25T20:16:36Z",
    "severity": "MODERATE",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-287"
    ]
}
References

Affected packages

Maven / org.opencastproject:opencast-ingest-service-impl

Package

Name
org.opencastproject:opencast-ingest-service-impl
View open source insights on deps.dev
Purl
pkg:maven/org.opencastproject/opencast-ingest-service-impl

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
10.14

Affected versions

6.*

6.6

7.*

7.2
7.3
7.4
7.5
7.6
7.7
7.8
7.9

8.*

8.0
8.1
8.3
8.4
8.5
8.6
8.7
8.8
8.9
8.10
8.11

9.*

9.0
9.1
9.2
9.3
9.4
9.5
9.6
9.7
9.9
9.10
9.11
9.12

10.*

10.0
10.1
10.2
10.3
10.4
10.5
10.6
10.7
10.8
10.9
10.10
10.11
10.12

Maven / org.opencastproject:opencast-ingest-service-impl

Package

Name
org.opencastproject:opencast-ingest-service-impl
View open source insights on deps.dev
Purl
pkg:maven/org.opencastproject/opencast-ingest-service-impl

Affected ranges

Type
ECOSYSTEM
Events
Introduced
11.0
Fixed
11.7

Affected versions

11.*

11.0
11.1
11.2
11.3
11.4
11.5
11.6