ghsa-qm6v-cg9v-53j3
Vulnerability from github
Published
2022-05-25 20:16
Modified
2022-05-25 20:16
Severity ?
Summary
Limited Authentication Bypass for Media Files
Details
Prior to Opencast 10.14 and 11.7, users could pass along URLs for files belonging to organizations other than the user's own, which Opencast would then import into the current organization, bypassing organizational barriers.
Impact
The vulnerability allows attackers to bypass organizational barriers. Attackers must have full access to Opencast's ingest REST interface, and also know internal links to resources in another organization of the same Opencast cluster.
If you do not run a multi-tenant cluster, you are not affected by this issue.
Patches
This issue is fixed in Opencast 10.14 and 11.7.
References
For more information
If you have any questions or comments about this advisory: * Open an issue in our issue tracker * Email us at security@opencast.org
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.opencastproject:opencast-ingest-service-impl"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "10.14"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.opencastproject:opencast-ingest-service-impl"
},
"ranges": [
{
"events": [
{
"introduced": "11.0"
},
{
"fixed": "11.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-29237"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": true,
"github_reviewed_at": "2022-05-25T20:16:36Z",
"nvd_published_at": "2022-05-24T15:15:00Z",
"severity": "MODERATE"
},
"details": "Prior to Opencast 10.14 and 11.7, users could pass along URLs for files belonging to organizations other than the user\u0027s own, which Opencast would then import into the current organization, bypassing organizational barriers.\n\n### Impact\n\nThe vulnerability allows attackers to bypass organizational barriers. Attackers must have full access to Opencast\u0027s ingest REST interface, and also know internal links to resources in another organization of the same Opencast cluster.\n\nIf you do not run a multi-tenant cluster, you are not affected by this issue.\n\n### Patches\n\nThis issue is fixed in Opencast 10.14 and 11.7.\n\n### References\n\n- [Patch fixing the issue](https://github.com/opencast/opencast/commit/8d5ec1614eed109b812bc27b0c6d3214e456d4e7)\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n* Open an issue in [our issue tracker](https://github.com/opencast/opencast/issues)\n* Email us at [security@opencast.org](mailto:security@opencast.org)\n",
"id": "GHSA-qm6v-cg9v-53j3",
"modified": "2022-05-25T20:16:36Z",
"published": "2022-05-25T20:16:36Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/opencast/opencast/security/advisories/GHSA-qm6v-cg9v-53j3"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29237"
},
{
"type": "WEB",
"url": "https://github.com/opencast/opencast/commit/8d5ec1614eed109b812bc27b0c6d3214e456d4e7"
},
{
"type": "PACKAGE",
"url": "https://github.com/opencast/opencast"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Limited Authentication Bypass for Media Files"
}
Loading...
Loading...
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.