CVE-2020-5222

Опубликовано: 30 янв. 2020

Источник: nvd

CVSS3: 6.8

CVSS3: 8.8

CVSS2: 6.5

EPSS Низкий

Описание

Opencast before 7.6 and 8.1 enables a remember-me cookie based on a hash created from the username, password, and an additional system key. This means that an attacker getting access to a remember-me token for one server can get access to all servers which allow log-in using the same credentials without ever needing the credentials. This problem is fixed in Opencast 7.6 and Opencast 8.1

Ссылки

https://github.com/opencast/opencast/commit/1a7172c95af8d542a77ae5b153e4c834dd4788a6
Patch
https://github.com/opencast/opencast/security/advisories/GHSA-mh8g-hprg-8363
Mitigation
Third Party Advisory
https://github.com/opencast/opencast/commit/1a7172c95af8d542a77ae5b153e4c834dd4788a6
Patch
https://github.com/opencast/opencast/security/advisories/GHSA-mh8g-hprg-8363
Mitigation
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:apereo:opencast:*:*:*:*:*:*:*:*

Версия до 7.6 (исключая)

cpe:2.3:a:apereo:opencast:8.0:*:*:*:*:*:*:*

EPSS

Процентиль: 49%

0.0026

Низкий

6.8 Medium

CVSS3

8.8 High

CVSS3

6.5 Medium

CVSS2

Дефекты

CWE-798

Связанные уязвимости

GHSA-mh8g-hprg-8363

CVSS3: 6.8

github

около 6 лет назад

Hard-Coded Key Used For Remember-me Token in Opencast

EPSS

Процентиль: 49%

0.0026

Низкий

6.8 Medium

CVSS3

8.8 High

CVSS3

6.5 Medium

CVSS2

Дефекты

CWE-798