ghsa-hcxx-mp6g-6gr9
Vulnerability from github
Published
2021-12-14 21:43
Modified
2023-12-14 22:27
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
Opencast publishes global system account credentials
Details

The issue was mostly mitigated before, drastically reducing the risk. See references below for more information.

Impact

Opencast before version 10.6 will try to authenticate against any external services listed in a media package when it is trying to access the files, sending the global system user's credentials, regardless of the target being part of the Opencast cluster or not.

Previous mitigations already prevented clear text authentications for such requests (e.g. HTTP Basic authentication), but with enough malicious intent, even hashed credentials can be broken.

Patches

Opencast 10.6 will now send authentication requests only against servers which are part of the Opencast cluster, preventing external services from getting any form of authentication attempt in the first place.

Workarounds

No workaround available.

References

For more information

If you have any questions or comments about this advisory: - Open an issue in our issue tracker - Email us at security@opencast.org

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.opencastproject:opencast-common"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "10.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2018-16153"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-522"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-12-14T15:51:41Z",
    "nvd_published_at": "2023-12-12T17:15:07Z",
    "severity": "HIGH"
  },
  "details": "The issue was mostly mitigated before, drastically reducing the risk. See references below for more information.\n\n### Impact\n\nOpencast before version 10.6 will try to authenticate against any external services listed in a media package when it is trying to access the files, sending the global system user\u0027s credentials, regardless of the target being part of the Opencast cluster or not.\n\nPrevious mitigations already prevented clear text authentications for such requests (e.g. HTTP Basic authentication), but with enough malicious intent, even hashed credentials can be broken.\n\n### Patches\n\nOpencast 10.6 will now send authentication requests only against servers which are part of the Opencast cluster, preventing external services from getting any form of authentication attempt in the first place.\n\n### Workarounds\n\nNo workaround available.\n\n### References\n\n- [Patch fixing the issue](https://github.com/opencast/opencast/commit/776d5588f39c61eb04c03bb955416c4f77629d51)\n- [Original security notice](https://groups.google.com/a/opencast.org/g/security-notices/c/XRZzRiqp-NE)\n- [Original security mitigation](https://github.com/opencast/opencast/commit/fe8c3d3a60dc5869b468957270dbad5f8c30ead6)\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n- Open an issue in [our issue tracker](https://github.com/opencast/opencast/issues)\n- Email us at [security@opencast.org](mailto:security@opencast.org)\n",
  "id": "GHSA-hcxx-mp6g-6gr9",
  "modified": "2023-12-14T22:27:16Z",
  "published": "2021-12-14T21:43:48Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/opencast/opencast/security/advisories/GHSA-hcxx-mp6g-6gr9"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16153"
    },
    {
      "type": "WEB",
      "url": "https://github.com/opencast/opencast/commit/776d5588f39c61eb04c03bb955416c4f77629d51"
    },
    {
      "type": "WEB",
      "url": "https://docs.opencast.org/r/10.x/admin/#changelog"
    },
    {
      "type": "WEB",
      "url": "https://docs.opencast.org/r/10.x/admin/#changelog/#opencast-106"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-hcxx-mp6g-6gr9"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/opencast/opencast"
    },
    {
      "type": "WEB",
      "url": "https://www.apereo.org/projects/opencast/news"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Opencast publishes global system account credentials"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.