cve-2020-5231
Vulnerability from cvelistv5
Published
2020-01-30 21:15
Modified
2024-08-04 08:22
Severity ?
EPSS score ?
Summary
Opencast users with ROLE_COURSE_ADMIN can create new users
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T08:22:08.962Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/opencast/opencast/security/advisories/GHSA-94qw-r73x-j7hg"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/opencast/opencast/commit/72fad0031d8a82c860e2bde0b27570c5042320ee"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "opencast",
"vendor": "opencast",
"versions": [
{
"status": "affected",
"version": "\u003c 7.6"
},
{
"status": "affected",
"version": "\u003e= 8.0, \u003c 8.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Opencast before 7.6 and 8.1, users with the role ROLE_COURSE_ADMIN can use the user-utils endpoint to create new users not including the role ROLE_ADMIN. ROLE_COURSE_ADMIN is a non-standard role in Opencast which is referenced neither in the documentation nor in any code (except for tests) but only in the security configuration. From the name \u2013 implying an admin for a specific course \u2013 users would never expect that this role allows user creation. This issue is fixed in 7.6 and 8.1 which both ship a new default security configuration."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285: Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-01-30T21:15:16",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/opencast/opencast/security/advisories/GHSA-94qw-r73x-j7hg"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/opencast/opencast/commit/72fad0031d8a82c860e2bde0b27570c5042320ee"
}
],
"source": {
"advisory": "GHSA-94qw-r73x-j7hg",
"discovery": "UNKNOWN"
},
"title": "Opencast users with ROLE_COURSE_ADMIN can create new users",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-5231",
"STATE": "PUBLIC",
"TITLE": "Opencast users with ROLE_COURSE_ADMIN can create new users"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "opencast",
"version": {
"version_data": [
{
"version_value": "\u003c 7.6"
},
{
"version_value": "\u003e= 8.0, \u003c 8.1"
}
]
}
}
]
},
"vendor_name": "opencast"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Opencast before 7.6 and 8.1, users with the role ROLE_COURSE_ADMIN can use the user-utils endpoint to create new users not including the role ROLE_ADMIN. ROLE_COURSE_ADMIN is a non-standard role in Opencast which is referenced neither in the documentation nor in any code (except for tests) but only in the security configuration. From the name \u2013 implying an admin for a specific course \u2013 users would never expect that this role allows user creation. This issue is fixed in 7.6 and 8.1 which both ship a new default security configuration."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-285: Improper Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/opencast/opencast/security/advisories/GHSA-94qw-r73x-j7hg",
"refsource": "CONFIRM",
"url": "https://github.com/opencast/opencast/security/advisories/GHSA-94qw-r73x-j7hg"
},
{
"name": "https://github.com/opencast/opencast/commit/72fad0031d8a82c860e2bde0b27570c5042320ee",
"refsource": "MISC",
"url": "https://github.com/opencast/opencast/commit/72fad0031d8a82c860e2bde0b27570c5042320ee"
}
]
},
"source": {
"advisory": "GHSA-94qw-r73x-j7hg",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-5231",
"datePublished": "2020-01-30T21:15:16",
"dateReserved": "2020-01-02T00:00:00",
"dateUpdated": "2024-08-04T08:22:08.962Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2020-5231\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2020-01-30T22:15:10.220\",\"lastModified\":\"2020-02-10T21:55:25.883\",\"vulnStatus\":\"Modified\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"In Opencast before 7.6 and 8.1, users with the role ROLE_COURSE_ADMIN can use the user-utils endpoint to create new users not including the role ROLE_ADMIN. ROLE_COURSE_ADMIN is a non-standard role in Opencast which is referenced neither in the documentation nor in any code (except for tests) but only in the security configuration. From the name \u2013 implying an admin for a specific course \u2013 users would never expect that this role allows user creation. This issue is fixed in 7.6 and 8.1 which both ship a new default security configuration.\"},{\"lang\":\"es\",\"value\":\"En Opencast anterior a las versiones 7.6 y 8.1, los usuarios con el rol ROLE_COURSE_ADMIN pueden usar el punto final user-utils para crear nuevos usuarios sin incluir el rol ROLE_ADMIN. ROLE_COURSE_ADMIN es un rol no est\u00e1ndar en Opencast al que no se hace referencia ni en la documentaci\u00f3n ni en ning\u00fan c\u00f3digo (excepto para las pruebas) sino solo en la configuraci\u00f3n de seguridad. Por el nombre, lo que implica un administrador para un curso espec\u00edfico, los usuarios nunca esperar\u00edan que este rol permita la creaci\u00f3n de usuarios. Este problema se solucion\u00f3 en 7.6 y 8.1, que incluyen una nueva configuraci\u00f3n de seguridad predeterminada.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6},{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\",\"baseScore\":4.8,\"baseSeverity\":\"MEDIUM\"},\"exploitabilityScore\":1.7,\"impactScore\":2.7}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:S/C:N/I:P/A:N\",\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\",\"baseScore\":4.0},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-276\"}]},{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-285\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apereo:opencast:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"7.6\",\"matchCriteriaId\":\"7056094F-6E63-4BFB-B8A3-125746BA882C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apereo:opencast:8.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4A82AABB-ACF6-4017-99E8-4DA90CE416D7\"}]}]}],\"references\":[{\"url\":\"https://github.com/opencast/opencast/commit/72fad0031d8a82c860e2bde0b27570c5042320ee\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/opencast/opencast/security/advisories/GHSA-94qw-r73x-j7hg\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]}]}}"
}
}
Loading...
Loading...
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.