CVE-2020-5231

Опубликовано: 30 янв. 2020

Источник: nvd

CVSS3: 4.8

CVSS3: 6.5

CVSS2: 4

EPSS Низкий

Описание

In Opencast before 7.6 and 8.1, users with the role ROLE_COURSE_ADMIN can use the user-utils endpoint to create new users not including the role ROLE_ADMIN. ROLE_COURSE_ADMIN is a non-standard role in Opencast which is referenced neither in the documentation nor in any code (except for tests) but only in the security configuration. From the name – implying an admin for a specific course – users would never expect that this role allows user creation. This issue is fixed in 7.6 and 8.1 which both ship a new default security configuration.

Ссылки

https://github.com/opencast/opencast/commit/72fad0031d8a82c860e2bde0b27570c5042320ee
Patch
https://github.com/opencast/opencast/security/advisories/GHSA-94qw-r73x-j7hg
Exploit
Third Party Advisory
https://github.com/opencast/opencast/commit/72fad0031d8a82c860e2bde0b27570c5042320ee
Patch
https://github.com/opencast/opencast/security/advisories/GHSA-94qw-r73x-j7hg
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:apereo:opencast:*:*:*:*:*:*:*:*

Версия до 7.6 (исключая)

cpe:2.3:a:apereo:opencast:8.0:*:*:*:*:*:*:*

EPSS

Процентиль: 46%

0.00229

Низкий

4.8 Medium

CVSS3

6.5 Medium

CVSS3

4 Medium

CVSS2

Дефекты

CWE-285

CWE-276

Связанные уязвимости

GHSA-94qw-r73x-j7hg

CVSS3: 4.8

github

около 6 лет назад

Users with ROLE_COURSE_ADMIN can create new users in Opencast

EPSS

Процентиль: 46%

0.00229

Низкий

4.8 Medium

CVSS3

6.5 Medium

CVSS3

4 Medium

CVSS2

Дефекты

CWE-285

CWE-276