Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1oY3h4LW1wNmctNmdyOc0bPw

Opencast publishes global system account credentials

The issue was mostly mitigated before, drastically reducing the risk. See references below for more information.

Impact

Opencast before version 10.6 will try to authenticate against any external services listed in a media package when it is trying to access the files, sending the global system user's credentials, regardless of the target being part of the Opencast cluster or not.

Previous mitigations already prevented clear text authentications for such requests (e.g. HTTP Basic authentication), but with enough malicious intent, even hashed credentials can be broken.

Patches

Opencast 10.6 will now send authentication requests only against servers which are part of the Opencast cluster, preventing external services from getting any form of authentication attempt in the first place.

Workarounds

No workaround available.

References

For more information

If you have any questions or comments about this advisory:

Open an issue in our issue tracker
Email us at [email protected]

Permalink: https://github.com/advisories/GHSA-hcxx-mp6g-6gr9
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1oY3h4LW1wNmctNmdyOc0bPw
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 2 years ago
Updated: 5 months ago

CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Identifiers: GHSA-hcxx-mp6g-6gr9, CVE-2018-16153
References:

Repository: https://github.com/opencast/opencast
Blast Radius: 11.8

Affected Packages

maven:org.opencastproject:opencast-common

Dependent packages: 243
Dependent repositories: 37
Downloads:
Affected Version Ranges: < 10.6
Fixed in: 10.6
All affected versions:
All unaffected versions: