GSD-2018-16153
Vulnerability from gsd - Updated: 2023-12-13 01:22Details
An issue was discovered in Apereo Opencast 4.x through 10.x before 10.6. It sends system digest credentials during authentication attempts to arbitrary external services in some situations.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2018-16153",
"id": "GSD-2018-16153"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2018-16153"
],
"details": "An issue was discovered in Apereo Opencast 4.x through 10.x before 10.6. It sends system digest credentials during authentication attempts to arbitrary external services in some situations.",
"id": "GSD-2018-16153",
"modified": "2023-12-13T01:22:26.285537Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-16153",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Apereo Opencast 4.x through 10.x before 10.6. It sends system digest credentials during authentication attempts to arbitrary external services in some situations."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.apereo.org/projects/opencast/news",
"refsource": "MISC",
"url": "https://www.apereo.org/projects/opencast/news"
},
{
"name": "https://github.com/advisories/GHSA-hcxx-mp6g-6gr9",
"refsource": "MISC",
"url": "https://github.com/advisories/GHSA-hcxx-mp6g-6gr9"
},
{
"name": "https://github.com/opencast/opencast/commit/776d5588f39c61eb04c03bb955416c4f77629d51",
"refsource": "MISC",
"url": "https://github.com/opencast/opencast/commit/776d5588f39c61eb04c03bb955416c4f77629d51"
},
{
"name": "https://docs.opencast.org/r/10.x/admin/#changelog",
"refsource": "MISC",
"url": "https://docs.opencast.org/r/10.x/admin/#changelog"
}
]
}
},
"gitlab.com": {
"advisories": [
{
"affected_range": "(,10.6)",
"affected_versions": "All versions before 10.6",
"cwe_ids": [
"CWE-1035",
"CWE-937"
],
"date": "2021-12-14",
"description": "The issue was mostly mitigated before, drastically reducing the risk. See references below for more information.\n\n### Impact\n\nOpencast before version 10.6 will try to authenticate against any external services listed in a media package when it is trying to access the files, sending the global system user\u0027s credentials, regardless of the target being part of the Opencast cluster or not.\n\nPrevious mitigations already prevented clear text authentications for such requests (e.g. HTTP Basic authentication), but with enough malicious intent, even hashed credentials can be broken.\n\n### Patches\n\nOpencast 10.6 will now send authentication requests only against servers which are part of the Opencast cluster, preventing external services from getting any form of authentication attempt in the first place.\n\n### Workarounds\n\nNo workaround available.\n\n### References\n\n- [Patch fixing the issue](https://github.com/opencast/opencast/commit/776d5588f39c61eb04c03bb955416c4f77629d51)\n- [Original security notice](https://groups.google.com/a/opencast.org/g/security-notices/c/XRZzRiqp-NE)\n- [Original security mitigation](https://github.com/opencast/opencast/commit/fe8c3d3a60dc5869b468957270dbad5f8c30ead6)\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n- Open an issue in [our issue tracker](https://github.com/opencast/opencast/issues)\n- Email us at [security@opencast.org](mailto:security@opencast.org)\n",
"fixed_versions": [
"10.6"
],
"identifier": "GMS-2021-145",
"identifiers": [
"GHSA-hcxx-mp6g-6gr9",
"GMS-2021-145",
"CVE-2018-16153"
],
"not_impacted": "All versions starting from 10.6",
"package_slug": "maven/org.opencastproject/opencast-common",
"pubdate": "2021-12-14",
"solution": "Upgrade to version 10.6 or above.",
"title": "Opencast publishes global system account credentials",
"urls": [
"https://github.com/opencast/opencast/security/advisories/GHSA-hcxx-mp6g-6gr9",
"https://github.com/opencast/opencast/commit/776d5588f39c61eb04c03bb955416c4f77629d51",
"https://docs.opencast.org/r/10.x/admin/#changelog/#opencast-106",
"https://github.com/advisories/GHSA-hcxx-mp6g-6gr9"
],
"uuid": "48765ed4-88e6-45ae-8ef9-08e8214a3464"
}
]
},
"nvd.nist.gov": {
"cve": {
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apereo:opencast:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8AB1096F-E6FE-4478-B7EE-9A9672C041D9",
"versionEndExcluding": "10.6",
"versionStartIncluding": "4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Apereo Opencast 4.x through 10.x before 10.6. It sends system digest credentials during authentication attempts to arbitrary external services in some situations."
},
{
"lang": "es",
"value": "Se descubri\u00f3 un problema en Apereo Opencast 4.x a 10.x antes de 10.6. Env\u00eda credenciales de resumen del sistema durante los intentos de autenticaci\u00f3n a servicios externos arbitrarios en algunas situaciones."
}
],
"id": "CVE-2018-16153",
"lastModified": "2023-12-14T20:30:45.820",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-12-12T17:15:07.517",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Release Notes"
],
"url": "https://docs.opencast.org/r/10.x/admin/#changelog"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/advisories/GHSA-hcxx-mp6g-6gr9"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "https://github.com/opencast/opencast/commit/776d5588f39c61eb04c03bb955416c4f77629d51"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes"
],
"url": "https://www.apereo.org/projects/opencast/news"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-522"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…