ghsa-w29m-fjp4-qhmq
Vulnerability from github
Published
2020-01-30 21:21
Modified
2021-01-14 17:45
Severity ?
Summary
Unsafe Identifiers in Opencast
Details
Impact
Opencast allows almost arbitrary identifiers for media packages and elements to be used. This can be problematic for operation and security since such identifiers are sometimes used for file system operations which may lead to an attacker being able to escape working directories and write files to other locations.
In addition, Opencast's Id.toString(…) vs Id.compact(…) behavior, the latter trying to mitigate some of the file system problems, can cause errors due to identifier mismatch since an identifier may unintentionally change.
Patches
This issue is fixed in Opencast 7.6 and 8.1.
Workarounds
There is no workaround for this.
For more information
If you have any questions or comments about this advisory:
- Open an issue in opencast/opencast
- For security-relevant information, email us at security@opencast.org
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.opencastproject:base"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "7.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.opencastproject:base"
},
"ranges": [
{
"events": [
{
"introduced": "8.0"
},
{
"fixed": "8.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-5230"
],
"database_specific": {
"cwe_ids": [
"CWE-99"
],
"github_reviewed": true,
"github_reviewed_at": "2020-01-30T20:35:35Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Impact\n\nOpencast allows almost arbitrary identifiers for media packages and\nelements to be used. This can be problematic for operation and security\nsince such identifiers are sometimes used for file system operations\nwhich may lead to an attacker being able to escape working directories and\nwrite files to other locations.\n\nIn addition, Opencast\u0027s Id.toString(\u2026) vs Id.compact(\u2026) behavior,\nthe latter trying to mitigate some of the file system problems, can\ncause errors due to identifier mismatch since an identifier may\nunintentionally change.\n\n### Patches\n\nThis issue is fixed in Opencast 7.6 and 8.1.\n\n### Workarounds\n\nThere is no workaround for this.\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n- Open an issue in [opencast/opencast](https://github.com/opencast/opencast/issues)\n- For security-relevant information, email us at security@opencast.org",
"id": "GHSA-w29m-fjp4-qhmq",
"modified": "2021-01-14T17:45:47Z",
"published": "2020-01-30T21:21:50Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/opencast/opencast/security/advisories/GHSA-w29m-fjp4-qhmq"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-5230"
},
{
"type": "WEB",
"url": "https://github.com/opencast/opencast/commit/bbb473f34ab95497d6c432c81285efb0c739f317"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Unsafe Identifiers in Opencast"
}
Loading...
Loading...
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.