Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXcyOW0tZmpwNC1xaG1x
Unsafe Identifiers in Opencast
Impact
Opencast allows almost arbitrary identifiers for media packages and
elements to be used. This can be problematic for operation and security
since such identifiers are sometimes used for file system operations
which may lead to an attacker being able to escape working directories and
write files to other locations.
In addition, Opencast's Id.toString(…) vs Id.compact(…) behavior,
the latter trying to mitigate some of the file system problems, can
cause errors due to identifier mismatch since an identifier may
unintentionally change.
Patches
This issue is fixed in Opencast 7.6 and 8.1.
Workarounds
There is no workaround for this.
For more information
If you have any questions or comments about this advisory:
- Open an issue in opencast/opencast
- For security-relevant information, email us at [email protected]
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXcyOW0tZmpwNC1xaG1x
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 4 years ago
Updated: over 1 year ago
CVSS Score: 7.7
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
Identifiers: GHSA-w29m-fjp4-qhmq, CVE-2020-5230
References:
- https://github.com/opencast/opencast/security/advisories/GHSA-w29m-fjp4-qhmq
- https://github.com/opencast/opencast/commit/bbb473f34ab95497d6c432c81285efb0c739f317
- https://nvd.nist.gov/vuln/detail/CVE-2020-5230
- https://github.com/advisories/GHSA-w29m-fjp4-qhmq
Blast Radius: 0.0
Affected Packages
maven:org.opencastproject:base
Dependent packages: 0Dependent repositories: 1
Downloads:
Affected Version Ranges: >= 8.0, < 8.1, < 7.6
Fixed in: 8.1, 7.6
All affected versions:
All unaffected versions: