cvelistv5 - cve-2020-5222

CVE-2020-5222 (GCVE-0-2020-5222)

Vulnerability from cvelistv5 – Published: 2020-01-30 20:50 – Updated: 2024-08-04 08:22

Summary

Opencast before 7.6 and 8.1 enables a remember-me cookie based on a hash created from the username, password, and an additional system key. This means that an attacker getting access to a remember-me token for one server can get access to all servers which allow log-in using the same credentials without ever needing the credentials. This problem is fixed in Opencast 7.6 and Opencast 8.1

Severity ?

6.8 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N

CWE

CWE-798 - Use of Hard-coded Credentials

Assigner

GitHub_M

References

URL

Tags

	https://github.com/opencast/opencast/security/adv…	x_refsource_CONFIRM
	https://github.com/opencast/opencast/commit/1a717…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	opencast	opencast	Affected: < 7.6 Affected: >= 8.0, < 8.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T08:22:08.720Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/opencast/opencast/security/advisories/GHSA-mh8g-hprg-8363"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/opencast/opencast/commit/1a7172c95af8d542a77ae5b153e4c834dd4788a6"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "opencast",
          "vendor": "opencast",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 7.6"
            },
            {
              "status": "affected",
              "version": "\u003e= 8.0, \u003c 8.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Opencast before 7.6 and 8.1 enables a remember-me cookie based on a hash created from the username, password, and an additional system key. This means that an attacker getting access to a remember-me token for one server can get access to all servers which allow log-in using the same credentials without ever needing the credentials. This problem is fixed in Opencast 7.6 and Opencast 8.1"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-798",
              "description": "CWE-798 Use of Hard-coded Credentials",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-01-30T20:50:13",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/opencast/opencast/security/advisories/GHSA-mh8g-hprg-8363"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/opencast/opencast/commit/1a7172c95af8d542a77ae5b153e4c834dd4788a6"
        }
      ],
      "source": {
        "advisory": "GHSA-mh8g-hprg-8363",
        "discovery": "UNKNOWN"
      },
      "title": "Hard-Coded Key Used For Remember-me Token in OpenCast",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2020-5222",
          "STATE": "PUBLIC",
          "TITLE": "Hard-Coded Key Used For Remember-me Token in OpenCast"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "opencast",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003c 7.6"
                          },
                          {
                            "version_value": "\u003e= 8.0, \u003c 8.1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "opencast"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Opencast before 7.6 and 8.1 enables a remember-me cookie based on a hash created from the username, password, and an additional system key. This means that an attacker getting access to a remember-me token for one server can get access to all servers which allow log-in using the same credentials without ever needing the credentials. This problem is fixed in Opencast 7.6 and Opencast 8.1"
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-798 Use of Hard-coded Credentials"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/opencast/opencast/security/advisories/GHSA-mh8g-hprg-8363",
              "refsource": "CONFIRM",
              "url": "https://github.com/opencast/opencast/security/advisories/GHSA-mh8g-hprg-8363"
            },
            {
              "name": "https://github.com/opencast/opencast/commit/1a7172c95af8d542a77ae5b153e4c834dd4788a6",
              "refsource": "MISC",
              "url": "https://github.com/opencast/opencast/commit/1a7172c95af8d542a77ae5b153e4c834dd4788a6"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-mh8g-hprg-8363",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2020-5222",
    "datePublished": "2020-01-30T20:50:13",
    "dateReserved": "2020-01-02T00:00:00",
    "dateUpdated": "2024-08-04T08:22:08.720Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apereo:opencast:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"7.6\", \"matchCriteriaId\": \"7056094F-6E63-4BFB-B8A3-125746BA882C\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apereo:opencast:8.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"4A82AABB-ACF6-4017-99E8-4DA90CE416D7\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Opencast before 7.6 and 8.1 enables a remember-me cookie based on a hash created from the username, password, and an additional system key. This means that an attacker getting access to a remember-me token for one server can get access to all servers which allow log-in using the same credentials without ever needing the credentials. This problem is fixed in Opencast 7.6 and Opencast 8.1\"}, {\"lang\": \"es\", \"value\": \"Opencast versiones anteriores a 7.6 y 8.1, habilita una cookie remember-me basada en un hash creado a partir del nombre de usuario, contrase\\u00f1a y una clave de sistema adicional. Esto significa que un atacante que obtiene acceso a un token remember-me para un servidor puede obtener acceso a todos los servidores que permiten el inicio de sesi\\u00f3n con las mismas credenciales sin necesidad alguna de las credenciales. Este problema se corrigi\\u00f3 en Opencast versi\\u00f3n 7.6 y Opencast versi\\u00f3n 8.1.\"}]",
      "id": "CVE-2020-5222",
      "lastModified": "2024-11-21T05:33:42.567",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N\", \"baseScore\": 6.8, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.3, \"impactScore\": 4.0}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 8.8, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 5.9}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:S/C:P/I:P/A:P\", \"baseScore\": 6.5, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"SINGLE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.0, \"impactScore\": 6.4, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2020-01-30T21:15:14.980",
      "references": "[{\"url\": \"https://github.com/opencast/opencast/commit/1a7172c95af8d542a77ae5b153e4c834dd4788a6\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/opencast/opencast/security/advisories/GHSA-mh8g-hprg-8363\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Mitigation\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/opencast/opencast/commit/1a7172c95af8d542a77ae5b153e4c834dd4788a6\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/opencast/opencast/security/advisories/GHSA-mh8g-hprg-8363\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mitigation\", \"Third Party Advisory\"]}]",
      "sourceIdentifier": "security-advisories@github.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-798\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-798\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2020-5222\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2020-01-30T21:15:14.980\",\"lastModified\":\"2024-11-21T05:33:42.567\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Opencast before 7.6 and 8.1 enables a remember-me cookie based on a hash created from the username, password, and an additional system key. This means that an attacker getting access to a remember-me token for one server can get access to all servers which allow log-in using the same credentials without ever needing the credentials. This problem is fixed in Opencast 7.6 and Opencast 8.1\"},{\"lang\":\"es\",\"value\":\"Opencast versiones anteriores a 7.6 y 8.1, habilita una cookie remember-me basada en un hash creado a partir del nombre de usuario, contrase\u00f1a y una clave de sistema adicional. Esto significa que un atacante que obtiene acceso a un token remember-me para un servidor puede obtener acceso a todos los servidores que permiten el inicio de sesi\u00f3n con las mismas credenciales sin necesidad alguna de las credenciales. Este problema se corrigi\u00f3 en Opencast versi\u00f3n 7.6 y Opencast versi\u00f3n 8.1.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N\",\"baseScore\":6.8,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.3,\"impactScore\":4.0},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:S/C:P/I:P/A:P\",\"baseScore\":6.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.0,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-798\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-798\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apereo:opencast:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"7.6\",\"matchCriteriaId\":\"7056094F-6E63-4BFB-B8A3-125746BA882C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apereo:opencast:8.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4A82AABB-ACF6-4017-99E8-4DA90CE416D7\"}]}]}],\"references\":[{\"url\":\"https://github.com/opencast/opencast/commit/1a7172c95af8d542a77ae5b153e4c834dd4788a6\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/opencast/opencast/security/advisories/GHSA-mh8g-hprg-8363\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Mitigation\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/opencast/opencast/commit/1a7172c95af8d542a77ae5b153e4c834dd4788a6\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/opencast/opencast/security/advisories/GHSA-mh8g-hprg-8363\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mitigation\",\"Third Party Advisory\"]}]}}"
  }
}

GSD-2020-5222

Vulnerability from gsd - Updated: 2023-12-13 01:22

Details

Aliases

CVE-2020-5222

Aliases

CVE-2020-5222

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2020-5222",
    "description": "Opencast before 7.6 and 8.1 enables a remember-me cookie based on a hash created from the username, password, and an additional system key. This means that an attacker getting access to a remember-me token for one server can get access to all servers which allow log-in using the same credentials without ever needing the credentials. This problem is fixed in Opencast 7.6 and Opencast 8.1",
    "id": "GSD-2020-5222"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2020-5222"
      ],
      "details": "Opencast before 7.6 and 8.1 enables a remember-me cookie based on a hash created from the username, password, and an additional system key. This means that an attacker getting access to a remember-me token for one server can get access to all servers which allow log-in using the same credentials without ever needing the credentials. This problem is fixed in Opencast 7.6 and Opencast 8.1",
      "id": "GSD-2020-5222",
      "modified": "2023-12-13T01:22:03.163127Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2020-5222",
        "STATE": "PUBLIC",
        "TITLE": "Hard-Coded Key Used For Remember-me Token in OpenCast"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "opencast",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "\u003c 7.6"
                        },
                        {
                          "version_value": "\u003e= 8.0, \u003c 8.1"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "opencast"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Opencast before 7.6 and 8.1 enables a remember-me cookie based on a hash created from the username, password, and an additional system key. This means that an attacker getting access to a remember-me token for one server can get access to all servers which allow log-in using the same credentials without ever needing the credentials. This problem is fixed in Opencast 7.6 and Opencast 8.1"
          }
        ]
      },
      "impact": {
        "cvss": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.8,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-798 Use of Hard-coded Credentials"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/opencast/opencast/security/advisories/GHSA-mh8g-hprg-8363",
            "refsource": "CONFIRM",
            "url": "https://github.com/opencast/opencast/security/advisories/GHSA-mh8g-hprg-8363"
          },
          {
            "name": "https://github.com/opencast/opencast/commit/1a7172c95af8d542a77ae5b153e4c834dd4788a6",
            "refsource": "MISC",
            "url": "https://github.com/opencast/opencast/commit/1a7172c95af8d542a77ae5b153e4c834dd4788a6"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-mh8g-hprg-8363",
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "(,7.6),[8.0]",
          "affected_versions": "All versions before 7.6, version 8.0",
          "cvss_v2": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-798",
            "CWE-937"
          ],
          "date": "2020-02-05",
          "description": "Opencast enables a `remember-me` cookie based on a hash created from the username, password, and an additional system key. This means that an attacker getting access to a `remember-me` token for one server can get access to all servers which allow log-in using the same credentials without ever needing the credentials.",
          "fixed_versions": [
            "7.6",
            "8.1"
          ],
          "identifier": "CVE-2020-5222",
          "identifiers": [
            "CVE-2020-5222",
            "GHSA-mh8g-hprg-8363"
          ],
          "not_impacted": "All versions starting from 7.6 before 8.0, all versions after 8.0",
          "package_slug": "maven/org.opencastproject/opencast-kernel",
          "pubdate": "2020-01-30",
          "solution": "Upgrade to versions 7.6, 8.1 or above.",
          "title": "Use of Hard-coded Credentials",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2020-5222"
          ],
          "uuid": "616c5ceb-b6d9-4cfa-93c4-ba561433eb9a"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:apereo:opencast:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "7.6",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apereo:opencast:8.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2020-5222"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Opencast before 7.6 and 8.1 enables a remember-me cookie based on a hash created from the username, password, and an additional system key. This means that an attacker getting access to a remember-me token for one server can get access to all servers which allow log-in using the same credentials without ever needing the credentials. This problem is fixed in Opencast 7.6 and Opencast 8.1"
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-798"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/opencast/opencast/commit/1a7172c95af8d542a77ae5b153e4c834dd4788a6",
              "refsource": "MISC",
              "tags": [
                "Patch"
              ],
              "url": "https://github.com/opencast/opencast/commit/1a7172c95af8d542a77ae5b153e4c834dd4788a6"
            },
            {
              "name": "https://github.com/opencast/opencast/security/advisories/GHSA-mh8g-hprg-8363",
              "refsource": "CONFIRM",
              "tags": [
                "Mitigation",
                "Third Party Advisory"
              ],
              "url": "https://github.com/opencast/opencast/security/advisories/GHSA-mh8g-hprg-8363"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 6.5,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 8.0,
          "impactScore": 6.4,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2020-02-05T18:51Z",
      "publishedDate": "2020-01-30T21:15Z"
    }
  }
}

FKIE_CVE-2020-5222

Vulnerability from fkie_nvd - Published: 2020-01-30 21:15 - Updated: 2024-11-21 05:33

Severity ?

6.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/opencast/opencast/commit/1a7172c95af8d542a77ae5b153e4c834dd4788a6	Patch
security-advisories@github.com	https://github.com/opencast/opencast/security/advisories/GHSA-mh8g-hprg-8363	Mitigation, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/opencast/opencast/commit/1a7172c95af8d542a77ae5b153e4c834dd4788a6	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/opencast/opencast/security/advisories/GHSA-mh8g-hprg-8363	Mitigation, Third Party Advisory

Impacted products

	Vendor	Product	Version
	apereo	opencast	*
	apereo	opencast	8.0

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:apereo:opencast:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "7056094F-6E63-4BFB-B8A3-125746BA882C",
              "versionEndExcluding": "7.6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apereo:opencast:8.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "4A82AABB-ACF6-4017-99E8-4DA90CE416D7",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Opencast before 7.6 and 8.1 enables a remember-me cookie based on a hash created from the username, password, and an additional system key. This means that an attacker getting access to a remember-me token for one server can get access to all servers which allow log-in using the same credentials without ever needing the credentials. This problem is fixed in Opencast 7.6 and Opencast 8.1"
    },
    {
      "lang": "es",
      "value": "Opencast versiones anteriores a 7.6 y 8.1, habilita una cookie remember-me basada en un hash creado a partir del nombre de usuario, contrase\u00f1a y una clave de sistema adicional. Esto significa que un atacante que obtiene acceso a un token remember-me para un servidor puede obtener acceso a todos los servidores que permiten el inicio de sesi\u00f3n con las mismas credenciales sin necesidad alguna de las credenciales. Este problema se corrigi\u00f3 en Opencast versi\u00f3n 7.6 y Opencast versi\u00f3n 8.1."
    }
  ],
  "id": "CVE-2020-5222",
  "lastModified": "2024-11-21T05:33:42.567",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 6.5,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 8.0,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.8,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.3,
        "impactScore": 4.0,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2020-01-30T21:15:14.980",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/opencast/opencast/commit/1a7172c95af8d542a77ae5b153e4c834dd4788a6"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Mitigation",
        "Third Party Advisory"
      ],
      "url": "https://github.com/opencast/opencast/security/advisories/GHSA-mh8g-hprg-8363"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/opencast/opencast/commit/1a7172c95af8d542a77ae5b153e4c834dd4788a6"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mitigation",
        "Third Party Advisory"
      ],
      "url": "https://github.com/opencast/opencast/security/advisories/GHSA-mh8g-hprg-8363"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-798"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-798"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

CNVD-2020-12675

Vulnerability from cnvd - Published: 2020-02-18

Title

Opencast信任管理问题漏洞

Description

Opencast是一套免费的开源视频管理解决方案，它具有可扩展、可定制和低成本等特点。 Opencast 7.6之前版本和8.1之前版本中存在信任管理问题漏洞。该漏洞源于网络系统或产品中缺乏有效的信任管理机制。攻击者可利用默认密码或者硬编码密码、硬编码证书等攻击受影响组件。

Severity

中

Patch Name

Opencast信任管理问题漏洞的补丁

Patch Description

Opencast是一套免费的开源视频管理解决方案，它具有可扩展、可定制和低成本等特点。 Opencast 7.6之前版本和8.1之前版本中存在信任管理问题漏洞。该漏洞源于网络系统或产品中缺乏有效的信任管理机制。攻击者可利用默认密码或者硬编码密码、硬编码证书等攻击受影响组件。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://github.com/opencast/opencast/security/advisories/GHSA-mh8g-hprg-8363

Reference

https://github.com/opencast/opencast/commit/1a7172c95af8d542a77ae5b153e4c834dd4788a6

Impacted products

Name
['Opencast Opencast <8.1', 'Opencast Opencast <7.6']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2020-5222",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2020-5222"
    }
  },
  "description": "Opencast\u662f\u4e00\u5957\u514d\u8d39\u7684\u5f00\u6e90\u89c6\u9891\u7ba1\u7406\u89e3\u51b3\u65b9\u6848\uff0c\u5b83\u5177\u6709\u53ef\u6269\u5c55\u3001\u53ef\u5b9a\u5236\u548c\u4f4e\u6210\u672c\u7b49\u7279\u70b9\u3002\n\nOpencast 7.6\u4e4b\u524d\u7248\u672c\u548c8.1\u4e4b\u524d\u7248\u672c\u4e2d\u5b58\u5728\u4fe1\u4efb\u7ba1\u7406\u95ee\u9898\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7f51\u7edc\u7cfb\u7edf\u6216\u4ea7\u54c1\u4e2d\u7f3a\u4e4f\u6709\u6548\u7684\u4fe1\u4efb\u7ba1\u7406\u673a\u5236\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u9ed8\u8ba4\u5bc6\u7801\u6216\u8005\u786c\u7f16\u7801\u5bc6\u7801\u3001\u786c\u7f16\u7801\u8bc1\u4e66\u7b49\u653b\u51fb\u53d7\u5f71\u54cd\u7ec4\u4ef6\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://github.com/opencast/opencast/security/advisories/GHSA-mh8g-hprg-8363",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2020-12675",
  "openTime": "2020-02-18",
  "patchDescription": "Opencast\u662f\u4e00\u5957\u514d\u8d39\u7684\u5f00\u6e90\u89c6\u9891\u7ba1\u7406\u89e3\u51b3\u65b9\u6848\uff0c\u5b83\u5177\u6709\u53ef\u6269\u5c55\u3001\u53ef\u5b9a\u5236\u548c\u4f4e\u6210\u672c\u7b49\u7279\u70b9\u3002\r\n\r\nOpencast 7.6\u4e4b\u524d\u7248\u672c\u548c8.1\u4e4b\u524d\u7248\u672c\u4e2d\u5b58\u5728\u4fe1\u4efb\u7ba1\u7406\u95ee\u9898\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7f51\u7edc\u7cfb\u7edf\u6216\u4ea7\u54c1\u4e2d\u7f3a\u4e4f\u6709\u6548\u7684\u4fe1\u4efb\u7ba1\u7406\u673a\u5236\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u9ed8\u8ba4\u5bc6\u7801\u6216\u8005\u786c\u7f16\u7801\u5bc6\u7801\u3001\u786c\u7f16\u7801\u8bc1\u4e66\u7b49\u653b\u51fb\u53d7\u5f71\u54cd\u7ec4\u4ef6\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Opencast\u4fe1\u4efb\u7ba1\u7406\u95ee\u9898\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Opencast Opencast \u003c8.1",
      "Opencast Opencast \u003c7.6"
    ]
  },
  "referenceLink": "https://github.com/opencast/opencast/commit/1a7172c95af8d542a77ae5b153e4c834dd4788a6",
  "serverity": "\u4e2d",
  "submitTime": "2020-02-14",
  "title": "Opencast\u4fe1\u4efb\u7ba1\u7406\u95ee\u9898\u6f0f\u6d1e"
}

GHSA-MH8G-HPRG-8363

Vulnerability from github – Published: 2020-01-30 21:21 – Updated: 2021-10-20 18:03

Summary

Hard-Coded Key Used For Remember-me Token in Opencast

Details

Impact

The security configuration in etc/security/mh_default_org.xml enables a remember-me cookie based on a hash created from the username, password, and an additional system key. Opencast has hard-coded this system key in the large XML file and never mentions to change this, basically ensuring that all systems use the same key:

<sec:remember-me key="opencast" user-service-ref="userDetailsService" />

This means that an attacker getting access to a remember-me token for one server can get access to all servers which allow log-in using the same credentials without ever needing the credentials. For example, a remember-me token obtained from develop.opencast.org can be used on stable.opencast.org without actually knowing the log-in credentials.

Such an attack will usually not work on different installations – assuming that safe, unique passwords are used – but it is basically guaranteed to work to get access to all machines of one cluster if a token from one machine is compromised.

Patches

This problem is fixed in Opencast 7.6 and Opencast 8.1

Workarounds

We strongly recommend updating to the patched version. Still, as a workaround for older versions, in etc/security/mh_default_org.xml, set a custom key for each server:

<sec:remember-me key="CUSTOM_RANDOM_KEY" user-service-ref="userDetailsService" />

References

For more information

If you have any questions or comments about this advisory: - Open an issue in opencast/opencast - For security-relevant information, email us at security@opencast.org

Thanks

Thanks to @LukasKalbertodt for reporting the issue.

Severity ?

6.8 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.opencastproject:opencast-kernel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "7.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.opencastproject:opencast-kernel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.0"
            },
            {
              "fixed": "8.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-5222"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-798"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-01-30T20:48:17Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nThe security configuration in `etc/security/mh_default_org.xml` enables a remember-me cookie based on a hash created from the [username, password, and an additional system key](https://docs.spring.io/spring-security/site/docs/3.0.x/reference/remember-me.html). Opencast has hard-coded this system key in the large XML file and never mentions to change this, basically ensuring that all systems use the same key:\n\n```xml\n\u003csec:remember-me key=\"opencast\" user-service-ref=\"userDetailsService\" /\u003e\n```\n\nThis means that an attacker getting access to a remember-me token for one server can get access to all servers which allow log-in using the same credentials without ever needing the credentials. For example, a remember-me token obtained from develop.opencast.org can be used on stable.opencast.org without actually knowing the log-in credentials.\n\nSuch an attack will usually not work on different installations \u2013 assuming that safe, unique passwords are used \u2013 but it is basically guaranteed to work to get access to all machines of one cluster if a token from one machine is compromised.\n\n### Patches\n\nThis problem is fixed in Opencast 7.6 and Opencast 8.1\n\n### Workarounds\n\nWe strongly recommend updating to the patched version. Still, as a workaround for older versions, in `etc/security/mh_default_org.xml`, set a custom key for each server:\n\n```xml\n\u003csec:remember-me key=\"CUSTOM_RANDOM_KEY\" user-service-ref=\"userDetailsService\" /\u003e\n```\n\n### References\n\n- [Relevant lines in the security configuration](https://github.com/opencast/opencast/blob/161ee619382f144dc35eea211fc6b556025b98e1/etc/security/mh_default_org.xml#L335-L336)\n- [Spring Security Remember-Me Authentication Documentation](https://docs.spring.io/spring-security/site/docs/3.0.x/reference/remember-me.html#remember-me-hash-token)\n\n### For more information\nIf you have any questions or comments about this advisory:\n- Open an issue in [opencast/opencast](https://github.com/opencast/opencast/issues)\n- For security-relevant information, email us at [security@opencast.org](mailto:security@opencast.org)\n\n### Thanks\nThanks to @LukasKalbertodt for reporting the issue.",
  "id": "GHSA-mh8g-hprg-8363",
  "modified": "2021-10-20T18:03:56Z",
  "published": "2020-01-30T21:21:44Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/opencast/opencast/security/advisories/GHSA-mh8g-hprg-8363"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-5222"
    },
    {
      "type": "WEB",
      "url": "https://github.com/opencast/opencast/commit/1a7172c95af8d542a77ae5b153e4c834dd4788a6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Hard-Coded Key Used For Remember-me Token in Opencast"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2020-5222 (GCVE-0-2020-5222)

GSD-2020-5222

FKIE_CVE-2020-5222

CNVD-2020-12675

GHSA-MH8G-HPRG-8363

Impact

Patches

Workarounds

References

For more information

Thanks

Tags

Sightings

Nomenclature