GHSA-44CW-P2HM-GPF6

Vulnerability from github – Published: 2020-12-08 22:37 – Updated: 2021-10-20 18:02
VLAI?
Summary
Disabled Hostname Verification in Opencast
Details

Opencast before version 8.9 and 7.9 disables HTTPS hostname verification of its HTTP client used for a large portion of Opencast's HTTP requests.

Hostname verification is an important part when using HTTPS to ensure that the presented certificate is valid for the host. Disabling it can allow for man-in-the-middle attacks.

Patches

This problem is fixed in Opencast 7.9 and Opencast 8.9

Self-Signed Certificates

Please be aware that fixing the problem means that Opencast will not simply accept any self-signed certificates any longer without properly importing them. If you need those, please make sure to import them into the Java key store. Better yet, get a valid certificate e.g. from Let's Encrypt.

Severity ?
4.8 (Medium)
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.opencastproject:opencast-kernel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "7.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.opencastproject:opencast-kernel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.0"
            },
            {
              "fixed": "8.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-26234"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-297"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-12-08T22:37:44Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "Opencast before version 8.9 and 7.9 disables HTTPS hostname verification of its HTTP client used for a large portion of Opencast\u0027s HTTP requests.\n\nHostname verification is an important part when using HTTPS to ensure that the presented certificate is valid for the host. Disabling it can allow for man-in-the-middle attacks.\n\n### Patches\n\nThis problem is fixed in Opencast 7.9 and Opencast 8.9\n\n### Self-Signed Certificates\n\nPlease be aware that fixing the problem means that Opencast will not simply accept any self-signed certificates any longer without properly importing them. If you need those, please make sure to import them into the Java key store. Better yet, get a valid certificate e.g. from [Let\u0027s Encrypt](https://letsencrypt.org).",
  "id": "GHSA-44cw-p2hm-gpf6",
  "modified": "2021-10-20T18:02:17Z",
  "published": "2020-12-08T22:37:59Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/opencast/opencast/security/advisories/GHSA-44cw-p2hm-gpf6"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26234"
    },
    {
      "type": "WEB",
      "url": "https://github.com/opencast/opencast/commit/4225bf90af74557deaf8fb6b80b0705c9621acfc"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Disabled Hostname Verification in Opencast"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.