ghsa-94qw-r73x-j7hg
Vulnerability from github
Published
2020-01-30 21:21
Modified
2021-10-20 18:03
Severity ?
4.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Summary
Users with ROLE_COURSE_ADMIN can create new users in Opencast
Details

Impact

Users with the role ROLE_COURSE_ADMIN can use the user-utils endpoint to create new users not including the role ROLE_ADMIN. For example:

```bash

Use the admin to create a new user with ROLE_COURSE_ADMIN using the admin user.

We expect this to work.

% curl -i -u admin:opencast 'https://example.opencast.org/user-utils/xy.json' -X PUT \ --data 'password=f&roles=%5B%22ROLE_COURSE_ADMIN%22%5D' HTTP/2 201

Use the new user to create more new users.

We don't expüect a user with just role ROLE_COURSE_ADMIN to succeed.

But it does work

% curl -i -u xy:f 'https://example.opencast.org/user-utils/ab.json' -X PUT \ --data 'password=f&roles=%5B%22ROLE_COURSE_ADMIN%22%5D' HTTP/2 201 ``ROLE_COURSE_ADMIN` is a non-standard role in Opencast which is referenced neither in the documentation nor in any code (except for tests) but only in the security configuration. From the name – implying an admin for a specific course – users would never expect that this role allows user creation.

Patches

This issue is fixed in 7.6 and 8.1 which both ship a new default security configuration.

Workarounds

You can fix this issue by removing all instances of ROLE_COURSE_ADMIN in your organization's security configuration (etc/security/mh_default_org.xml by default).

For more information

If you have any questions or comments about this advisory:

  • Open an issue in opencast/opencast
  • For security-relevant information, email us at security@opencast.org
Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.opencastproject:opencast-kernel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "7.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.opencastproject:opencast-kernel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.0"
            },
            {
              "fixed": "8.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-5231"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-285"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-01-30T21:11:19Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nUsers with the role `ROLE_COURSE_ADMIN` can use the user-utils endpoint to create new users not including the role `ROLE_ADMIN`. For example:\n\n```bash\n# Use the admin to create a new user with ROLE_COURSE_ADMIN using the admin user.\n# We expect this to work.\n% curl -i -u admin:opencast \u0027https://example.opencast.org/user-utils/xy.json\u0027 -X PUT \\\n  --data \u0027password=f\u0026roles=%5B%22ROLE_COURSE_ADMIN%22%5D\u0027\nHTTP/2 201\n\n# Use the new user to create more new users.\n# We don\u0027t exp\u00fcect a user with just role ROLE_COURSE_ADMIN to succeed.\n# But it does work\n% curl -i -u xy:f \u0027https://example.opencast.org/user-utils/ab.json\u0027 -X PUT \\\n  --data \u0027password=f\u0026roles=%5B%22ROLE_COURSE_ADMIN%22%5D\u0027\nHTTP/2 201\n```\n`ROLE_COURSE_ADMIN` is a non-standard role in Opencast which is referenced neither in the documentation nor in any code (except for tests) but only in the security configuration. From the name \u2013 implying an admin for a specific course \u2013 users would never expect that this role allows user creation.\n\n### Patches\n\nThis issue is fixed in 7.6 and 8.1 which both ship a new default security configuration.\n\n### Workarounds\n\nYou can fix this issue by removing all instances of `ROLE_COURSE_ADMIN` in your organization\u0027s security configuration (`etc/security/mh_default_org.xml` by default).\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n- Open an issue in [opencast/opencast](https://github.com/opencast/opencast/issues)\n- For security-relevant information, email us at security@opencast.org",
  "id": "GHSA-94qw-r73x-j7hg",
  "modified": "2021-10-20T18:03:31Z",
  "published": "2020-01-30T21:21:37Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/opencast/opencast/security/advisories/GHSA-94qw-r73x-j7hg"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-5231"
    },
    {
      "type": "WEB",
      "url": "https://github.com/opencast/opencast/commit/72fad0031d8a82c860e2bde0b27570c5042320ee"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Users with ROLE_COURSE_ADMIN can create new users in Opencast"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.