CVE-2020-5228
Last modified
CVE-2020-5228 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. Opencast before 8.1 and 7.6 allows unauthorized public access to all media and metadata by default via OAI-PMH. OAI-PMH is part of the default workflow and is activated by default, requiring active user intervention of users to protect media. EPSS estimates a 0.98% chance of exploitation in the next 30 days.
Description
Opencast before 8.1 and 7.6 allows unauthorized public access to all media and metadata by default via OAI-PMH. OAI-PMH is part of the default workflow and is activated by default, requiring active user intervention of users to protect media. This leads to users unknowingly handing out public access to events without their knowledge. The problem has been addressed in Opencast 7.6 and 8.1 where the OAI-PMH endpoint is configured to require users with `ROLE_ADMIN` by default. In addition to this, Opencast 9 removes the OAI-PMH publication from the default workflow, making the publication a conscious decision users have to make by updating their workflows.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Apereo | Opencast | < 7.6 |
| Apereo | Opencast | 8.0 |
References
- https://github.com/opencast/opencast/security/advisories/GHSA-6f54-3qr9-pjgjMitigation, Third Party Advisory
- https://github.com/opencast/opencast/security/advisories/GHSA-6f54-3qr9-pjgjMitigation, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2020-5228?
How severe is CVE-2020-5228?
How do I fix CVE-2020-5228?
Are you affected by CVE-2020-5228?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST