CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS
Percentile
25.8%
The issue was mostly mitigated before, drastically reducing the risk. See references below for more information.
Opencast before version 10.6 will try to authenticate against any external services listed in a media package when it is trying to access the files, sending the global system user’s credentials, regardless of the target being part of the Opencast cluster or not.
Previous mitigations already prevented clear text authentications for such requests (e.g. HTTP Basic authentication), but with enough malicious intent, even hashed credentials can be broken.
Opencast 10.6 will now send authentication requests only against servers which are part of the Opencast cluster, preventing external services from getting any form of authentication attempt in the first place.
No workaround available.
If you have any questions or comments about this advisory:
Vendor | Product | Version | CPE |
---|---|---|---|
org.opencastproject | opencast-common | * | cpe:2.3:a:org.opencastproject:opencast-common:*:*:*:*:*:*:*:* |
docs.opencast.org/r/10.x/admin/#changelog
docs.opencast.org/r/10.x/admin/#changelog/#opencast-106
github.com/advisories/GHSA-hcxx-mp6g-6gr9
github.com/opencast/opencast/commit/776d5588f39c61eb04c03bb955416c4f77629d51
github.com/opencast/opencast/security/advisories/GHSA-hcxx-mp6g-6gr9
nvd.nist.gov/vuln/detail/CVE-2018-16153
www.apereo.org/projects/opencast/news