Opencast users with ROLE_COURSE_ADMIN can create new users
CVE-2020-5231

4.8MEDIUM

Key Information:

Vendor: Opencast
Status: Opencast
Vendor: CVE Published:; 30 January 2020

Summary

In Opencast before 7.6 and 8.1, users with the role ROLE_COURSE_ADMIN can use the user-utils endpoint to create new users not including the role ROLE_ADMIN. ROLE_COURSE_ADMIN is a non-standard role in Opencast which is referenced neither in the documentation nor in any code (except for tests) but only in the security configuration. From the name – implying an admin for a specific course – users would never expect that this role allows user creation. This issue is fixed in 7.6 and 8.1 which both ship a new default security configuration.

Affected Version(s)

opencast < 7.6 < 7.6

opencast >= 8.0, < 8.1 < 8.0, 8.1

References

https://github.com/opencast/opencast/security/advisories/...

x_refsource_CONFIRM

https://github.com/opencast/opencast/commit/72fad0031d8a8...

x_refsource_MISC

CVSS V3.1

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Jan 30, 2020
Vulnerability Reserved
Jan 2, 2020