Description

Opencast prior to versions 17.6 would incorrectly send the hashed global system account credentials (ie: org.opencastproject.security.digest.user and org.opencastproject.security.digest.pass) when attempting to fetch mediapackage elements included in a mediapackage XML file. A previous CVE prevented many cases where the credentials were inappropriately sent, but not all. The remainder are addressed with this patch.

Impact

Anyone with ingest permissions could cause Opencast to send its hashed global system account credentials to a url of their choosing.

Patches

This issue is fixed in Opencast 17.6

If you have any questions or comments about this advisory:

• Open an issue in our issue tracker
• Email us at [email protected]

• https://github.com/opencast/opencast/security/advisories/GHSA-j63h-hmgw-x4j7
• https://github.com/opencast/opencast/commit/2d3219113e2b9fadfb06443f5468b1c2157827a6
• https://github.com/advisories/GHSA-j63h-hmgw-x4j7