OpenCast < 7.6.0 and 8.0.0 Multiple Vulnerabilities

Published: 2020-02-04 07:51:44
CVE Author: NIST National Vulnerability Database (NVD)

CVSS Base Vector:
AV:N/AC:L/Au:S/C:C/I:P/A:N

Detection Type:
Remote Banner

Solution Type:
Vendor Patch

Summary:
OpenCast is prone to multiple vulnerabilities.

Detection Method:
Checks if a vulnerable version is present on the target host.

Technical Details:
OpenCast is prone to multiple vulnerabilities: - Authentication Bypass For Endpoints With Anonymous Access (CVE-2020-5206) - Hard-Coded Key Used For Remember-me Token (CVE-2020-5222) - Unauthenticated Access Via OAI-PMH (CVE-2020-5228) - Unsafe Identifiers (CVE-2020-5230) - Users with ROLE_COURSE_ADMIN can create new users (CVE-2020-5231)

Affected Versions:
OpenCast versions prior to 7.6.0 and version 8.0.0.

Recommendations:
Update to version 7.6.0, 8.1.0 or later.

NIST (National Institute of Standards and Technology) NVD (National Vulnerability Database)

https://nvd.nist.gov/vuln/detail/CVE-2020-5206
https://nvd.nist.gov/vuln/detail/CVE-2020-5222
https://nvd.nist.gov/vuln/detail/CVE-2020-5228
https://nvd.nist.gov/vuln/detail/CVE-2020-5230
https://nvd.nist.gov/vuln/detail/CVE-2020-5231

References:

https://github.com/opencast/opencast/security/advisories/GHSA-vmm6-w4cf-7f3x
https://github.com/opencast/opencast/security/advisories/GHSA-mh8g-hprg-8363
https://github.com/opencast/opencast/security/advisories/GHSA-6f54-3qr9-pjgj
https://github.com/opencast/opencast/security/advisories/GHSA-w29m-fjp4-qhmq
https://github.com/opencast/opencast/security/advisories/GHSA-94qw-r73x-j7hg

Search
Severity
High
CVSS Score
7.5

You never have to pay for a vulnerability scanning and management software again.

Tired of paying a subscription 'per asset' or 'per IP'? Well you can officially cancel your current subscription. Mageni provides a free, open source and enterprise-ready vulnerability scanning and management platform which helps you to find, prioritize, remediate and manage your vulnerabilities. It is free and always will be.