GHSA-94QW-R73X-J7HG

Vulnerability from github – Published: 2020-01-30 21:21 – Updated: 2021-10-20 18:03
VLAI?
Summary
Users with ROLE_COURSE_ADMIN can create new users in Opencast
Details

Impact

Users with the role ROLE_COURSE_ADMIN can use the user-utils endpoint to create new users not including the role ROLE_ADMIN. For example:

# Use the admin to create a new user with ROLE_COURSE_ADMIN using the admin user.
# We expect this to work.
% curl -i -u admin:opencast 'https://example.opencast.org/user-utils/xy.json' -X PUT \
  --data 'password=f&roles=%5B%22ROLE_COURSE_ADMIN%22%5D'
HTTP/2 201

# Use the new user to create more new users.
# We don't expüect a user with just role ROLE_COURSE_ADMIN to succeed.
# But it does work
% curl -i -u xy:f 'https://example.opencast.org/user-utils/ab.json' -X PUT \
  --data 'password=f&roles=%5B%22ROLE_COURSE_ADMIN%22%5D'
HTTP/2 201

ROLE_COURSE_ADMIN is a non-standard role in Opencast which is referenced neither in the documentation nor in any code (except for tests) but only in the security configuration. From the name – implying an admin for a specific course – users would never expect that this role allows user creation.

Patches

This issue is fixed in 7.6 and 8.1 which both ship a new default security configuration.

Workarounds

You can fix this issue by removing all instances of ROLE_COURSE_ADMIN in your organization's security configuration (etc/security/mh_default_org.xml by default).

For more information

If you have any questions or comments about this advisory:

  • Open an issue in opencast/opencast
  • For security-relevant information, email us at security@opencast.org
Severity ?
4.8 (Medium)
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.opencastproject:opencast-kernel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "7.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.opencastproject:opencast-kernel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.0"
            },
            {
              "fixed": "8.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-5231"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-285"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-01-30T21:11:19Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nUsers with the role `ROLE_COURSE_ADMIN` can use the user-utils endpoint to create new users not including the role `ROLE_ADMIN`. For example:\n\n```bash\n# Use the admin to create a new user with ROLE_COURSE_ADMIN using the admin user.\n# We expect this to work.\n% curl -i -u admin:opencast \u0027https://example.opencast.org/user-utils/xy.json\u0027 -X PUT \\\n  --data \u0027password=f\u0026roles=%5B%22ROLE_COURSE_ADMIN%22%5D\u0027\nHTTP/2 201\n\n# Use the new user to create more new users.\n# We don\u0027t exp\u00fcect a user with just role ROLE_COURSE_ADMIN to succeed.\n# But it does work\n% curl -i -u xy:f \u0027https://example.opencast.org/user-utils/ab.json\u0027 -X PUT \\\n  --data \u0027password=f\u0026roles=%5B%22ROLE_COURSE_ADMIN%22%5D\u0027\nHTTP/2 201\n```\n`ROLE_COURSE_ADMIN` is a non-standard role in Opencast which is referenced neither in the documentation nor in any code (except for tests) but only in the security configuration. From the name \u2013 implying an admin for a specific course \u2013 users would never expect that this role allows user creation.\n\n### Patches\n\nThis issue is fixed in 7.6 and 8.1 which both ship a new default security configuration.\n\n### Workarounds\n\nYou can fix this issue by removing all instances of `ROLE_COURSE_ADMIN` in your organization\u0027s security configuration (`etc/security/mh_default_org.xml` by default).\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n- Open an issue in [opencast/opencast](https://github.com/opencast/opencast/issues)\n- For security-relevant information, email us at security@opencast.org",
  "id": "GHSA-94qw-r73x-j7hg",
  "modified": "2021-10-20T18:03:31Z",
  "published": "2020-01-30T21:21:37Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/opencast/opencast/security/advisories/GHSA-94qw-r73x-j7hg"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-5231"
    },
    {
      "type": "WEB",
      "url": "https://github.com/opencast/opencast/commit/72fad0031d8a82c860e2bde0b27570c5042320ee"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Users with ROLE_COURSE_ADMIN can create new users in Opencast"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.