logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2020-5231 org.opencastproject:opencast-kernel

Package

Manager: maven
Name: org.opencastproject:opencast-kernel
Vulnerable Version: >=0 <7.6 || >=8.0 <8.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

EPSS: 0.00229 pctl0.45652

Details

Users with ROLE_COURSE_ADMIN can create new users in Opencast ### Impact Users with the role `ROLE_COURSE_ADMIN` can use the user-utils endpoint to create new users not including the role `ROLE_ADMIN`. For example: ```bash # Use the admin to create a new user with ROLE_COURSE_ADMIN using the admin user. # We expect this to work. % curl -i -u admin:opencast 'https://example.opencast.org/user-utils/xy.json' -X PUT \ --data 'password=f&roles=%5B%22ROLE_COURSE_ADMIN%22%5D' HTTP/2 201 # Use the new user to create more new users. # We don't expüect a user with just role ROLE_COURSE_ADMIN to succeed. # But it does work % curl -i -u xy:f 'https://example.opencast.org/user-utils/ab.json' -X PUT \ --data 'password=f&roles=%5B%22ROLE_COURSE_ADMIN%22%5D' HTTP/2 201 ``` `ROLE_COURSE_ADMIN` is a non-standard role in Opencast which is referenced neither in the documentation nor in any code (except for tests) but only in the security configuration. From the name – implying an admin for a specific course – users would never expect that this role allows user creation. ### Patches This issue is fixed in 7.6 and 8.1 which both ship a new default security configuration. ### Workarounds You can fix this issue by removing all instances of `ROLE_COURSE_ADMIN` in your organization's security configuration (`etc/security/mh_default_org.xml` by default). ### For more information If you have any questions or comments about this advisory: - Open an issue in [opencast/opencast](https://github.com/opencast/opencast/issues) - For security-relevant information, email us at security@opencast.org

Metadata

Created: 2020-01-30T21:21:37Z
Modified: 2021-10-20T18:03:31Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/01/GHSA-94qw-r73x-j7hg/GHSA-94qw-r73x-j7hg.json
CWE IDs: ["CWE-285"]
Alternative ID: GHSA-94qw-r73x-j7hg
Finding: F039
Auto approve: 1