CVE-2020-5206
8.7
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Summary
In Opencast before 7.6 and 8.1, using a remember-me cookie with an arbitrary username can cause Opencast to assume proper authentication for that user even if the remember-me cookie was incorrect given that the attacked endpoint also allows anonymous access. This way, an attacker can, for example, fake a remember-me token, assume the identity of the global system administrator and request non-public content from the search service without ever providing any proper authentication. This problem is fixed in Opencast 7.6 and Opencast 8.1
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| opencast | opencast | < 7.6 | affected |
| opencast | opencast | >= 8.0, < 8.1 | affected |
Weaknesses
- CWE-285: CWE-285: Improper Authorization
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/opencast/opencast/security/advisories/GHSA-vmm6-w4cf-7f3x
- https://github.com/opencast/opencast/commit/b157e1fb3b35991ca7bf59f0730329fbe7ce82e8
References
- https://github.com/opencast/opencast/security/advisories/GHSA-vmm6-w4cf-7f3x
- https://github.com/opencast/opencast/commit/b157e1fb3b35991ca7bf59f0730329fbe7ce82e8
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.