A vulnerability classified as critical was found in Opencast up to 7.5/8.0. Affected by this vulnerability is an unknown code block of the component user-utils Endpoint. The manipulation with an unknown input leads to a improper authorization vulnerability. The CWE definition for the vulnerability is CWE-285. The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. As an impact it is known to affect confidentiality, integrity, and availability. The summary by CVE is:

In Opencast before 7.6 and 8.1, users with the role ROLE_COURSE_ADMIN can use the user-utils endpoint to create new users not including the role ROLE_ADMIN. ROLE_COURSE_ADMIN is a non-standard role in Opencast which is referenced neither in the documentation nor in any code (except for tests) but only in the security configuration. From the name � implying an admin for a specific course � users would never expect that this role allows user creation. This issue is fixed in 7.6 and 8.1 which both ship a new default security configuration.

The weakness was released 01/30/2020 (GitHub Repository). The advisory is shared at github.com. This vulnerability is known as CVE-2020-5231 since 01/02/2020. The attack can be launched remotely. The exploitation needs additional levels of successful authentication. It demands that the victim is doing some kind of user interaction. Neither technical details nor an exploit are publicly available. MITRE ATT&CK project uses the attack technique T1548.002 for this issue.

Upgrading to version 7.6 or 8.0 eliminates this vulnerability.

Entries connected to this vulnerability are available at 149580, 149579, 149578 and 149577.

Productinfo

Name

• Opencast

Version

• 7.0
• 7.1
• 7.2
• 7.3
• 7.4
• 7.5
• 8.0

License

• open-source

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion