Lucene search
GoogleOSV:GHSA-W29M-FJP4-QHMQHistoryJan 30, 2020 - 9:21 p.m.
Unsafe Identifiers in Opencast
2020-01-3021:21:50
Google
osv.dev
6
EPSS
0.001
Percentile
38.7%
Impact
Opencast allows almost arbitrary identifiers for media packages and
elements to be used. This can be problematic for operation and security
since such identifiers are sometimes used for file system operations
which may lead to an attacker being able to escape working directories and
write files to other locations.
In addition, Opencast’s Id.toString(…) vs Id.compact(…) behavior,
the latter trying to mitigate some of the file system problems, can
cause errors due to identifier mismatch since an identifier may
unintentionally change.
Patches
This issue is fixed in Opencast 7.6 and 8.1.
Workarounds
There is no workaround for this.
For more information
If you have any questions or comments about this advisory:
- Open an issue in opencast/opencast
- For security-relevant information, email us at [email protected]
Related
cvelist
cvelist
CVE-2020-5230 Opencast uses unsafe identifiers
2020-01-30 20:55:14
osv
osv
CVE-2020-5230
2020-01-30 21:15:15
prion
prion
Code injection
2020-01-30 21:15:00
github
github
Unsafe Identifiers in Opencast
2020-01-30 21:21:50
veracode
veracode
Unsafe Identifiers
2020-01-31 08:14:02
nvd
nvd
CVE-2020-5230
2020-01-30 21:15:15
cve
cve
CVE-2020-5230
2020-01-30 21:15:15
openvas
openvas
Opencast < 7.6.0 and 8.0.0 Multiple Vulnerabilities
2020-02-04 00:00:00