logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2018-16153 org.opencastproject:opencast-common

Package

Manager: maven
Name: org.opencastproject:opencast-common
Vulnerable Version: >=0 <10.6

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00227 pctl0.4535

Details

Opencast publishes global system account credentials The issue was mostly mitigated before, drastically reducing the risk. See references below for more information. ### Impact Opencast before version 10.6 will try to authenticate against any external services listed in a media package when it is trying to access the files, sending the global system user's credentials, regardless of the target being part of the Opencast cluster or not. Previous mitigations already prevented clear text authentications for such requests (e.g. HTTP Basic authentication), but with enough malicious intent, even hashed credentials can be broken. ### Patches Opencast 10.6 will now send authentication requests only against servers which are part of the Opencast cluster, preventing external services from getting any form of authentication attempt in the first place. ### Workarounds No workaround available. ### References - [Patch fixing the issue](https://github.com/opencast/opencast/commit/776d5588f39c61eb04c03bb955416c4f77629d51) - [Original security notice](https://groups.google.com/a/opencast.org/g/security-notices/c/XRZzRiqp-NE) - [Original security mitigation](https://github.com/opencast/opencast/commit/fe8c3d3a60dc5869b468957270dbad5f8c30ead6) ### For more information If you have any questions or comments about this advisory: - Open an issue in [our issue tracker](https://github.com/opencast/opencast/issues) - Email us at [security@opencast.org](mailto:security@opencast.org)

Metadata

Created: 2021-12-14T21:43:48Z
Modified: 2023-12-14T22:27:16Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-hcxx-mp6g-6gr9/GHSA-hcxx-mp6g-6gr9.json
CWE IDs: ["CWE-200", "CWE-522"]
Alternative ID: GHSA-hcxx-mp6g-6gr9
Finding: F035
Auto approve: 1