Vulnerability Details CVE-2020-5206
In Opencast before 7.6 and 8.1, using a remember-me cookie with an arbitrary username can cause Opencast to assume proper authentication for that user even if the remember-me cookie was incorrect given that the attacked endpoint also allows anonymous access. This way, an attacker can, for example, fake a remember-me token, assume the identity of the global system administrator and request non-public content from the search service without ever providing any proper authentication. This problem is fixed in Opencast 7.6 and Opencast 8.1
Exploit prediction scoring system (EPSS) score
EPSS Score 0.003
EPSS Ranking 52.5%
CVSS Severity
CVSS v3 Score 8.7
CVSS v2 Score 6.4
References
- https://github.com/opencast/opencast/commit/b157e1fb3b35991ca7bf59f0730329fbe7ce82e8
- https://github.com/opencast/opencast/security/advisories/GHSA-vmm6-w4cf-7f3x
- https://github.com/opencast/opencast/commit/b157e1fb3b35991ca7bf59f0730329fbe7ce82e8
- https://github.com/opencast/opencast/security/advisories/GHSA-vmm6-w4cf-7f3x
Products affected by CVE-2020-5206
-
cpe:2.3:a:apereo:opencast:1.3.0
-
cpe:2.3:a:apereo:opencast:1.3.1
-
cpe:2.3:a:apereo:opencast:1.4
-
cpe:2.3:a:apereo:opencast:1.4.1
-
cpe:2.3:a:apereo:opencast:1.4.2
-
cpe:2.3:a:apereo:opencast:1.4.3
-
cpe:2.3:a:apereo:opencast:1.4.4
-
cpe:2.3:a:apereo:opencast:1.5.0
-
cpe:2.3:a:apereo:opencast:1.5.1
-
cpe:2.3:a:apereo:opencast:1.6.0
-
cpe:2.3:a:apereo:opencast:1.6.1
-
cpe:2.3:a:apereo:opencast:1.6.2
-
cpe:2.3:a:apereo:opencast:1.6.3
-
cpe:2.3:a:apereo:opencast:2.0.0
-
cpe:2.3:a:apereo:opencast:2.0.1
-
cpe:2.3:a:apereo:opencast:2.0.2
-
cpe:2.3:a:apereo:opencast:2.1.0
-
cpe:2.3:a:apereo:opencast:2.1.1
-
cpe:2.3:a:apereo:opencast:2.1.2
-
cpe:2.3:a:apereo:opencast:2.2.0
-
cpe:2.3:a:apereo:opencast:2.2.1
-
cpe:2.3:a:apereo:opencast:2.2.2
-
cpe:2.3:a:apereo:opencast:2.2.3
-
cpe:2.3:a:apereo:opencast:2.2.4
-
cpe:2.3:a:apereo:opencast:2.2.5
-
cpe:2.3:a:apereo:opencast:2.3.0
-
cpe:2.3:a:apereo:opencast:2.3.1
-
cpe:2.3:a:apereo:opencast:2.3.2
-
cpe:2.3:a:apereo:opencast:2.3.3
-
cpe:2.3:a:apereo:opencast:2.3.4
-
cpe:2.3:a:apereo:opencast:2.3.5
-
cpe:2.3:a:apereo:opencast:3.0
-
cpe:2.3:a:apereo:opencast:3.1
-
cpe:2.3:a:apereo:opencast:3.2
-
cpe:2.3:a:apereo:opencast:3.3
-
cpe:2.3:a:apereo:opencast:3.4
-
cpe:2.3:a:apereo:opencast:3.5
-
cpe:2.3:a:apereo:opencast:3.6
-
cpe:2.3:a:apereo:opencast:3.7
-
cpe:2.3:a:apereo:opencast:4.0
-
cpe:2.3:a:apereo:opencast:4.1
-
cpe:2.3:a:apereo:opencast:4.2
-
cpe:2.3:a:apereo:opencast:4.3
-
cpe:2.3:a:apereo:opencast:4.4
-
cpe:2.3:a:apereo:opencast:4.5
-
cpe:2.3:a:apereo:opencast:5.0
-
cpe:2.3:a:apereo:opencast:5.1
-
cpe:2.3:a:apereo:opencast:5.2
-
cpe:2.3:a:apereo:opencast:5.3
-
cpe:2.3:a:apereo:opencast:5.4
-
cpe:2.3:a:apereo:opencast:5.5
-
cpe:2.3:a:apereo:opencast:6.0
-
cpe:2.3:a:apereo:opencast:6.1
-
cpe:2.3:a:apereo:opencast:6.2
-
cpe:2.3:a:apereo:opencast:6.3
-
cpe:2.3:a:apereo:opencast:6.4
-
cpe:2.3:a:apereo:opencast:6.5
-
cpe:2.3:a:apereo:opencast:6.6
-
cpe:2.3:a:apereo:opencast:6.7
-
cpe:2.3:a:apereo:opencast:7.0
-
cpe:2.3:a:apereo:opencast:7.1
-
cpe:2.3:a:apereo:opencast:7.2
-
cpe:2.3:a:apereo:opencast:7.3
-
cpe:2.3:a:apereo:opencast:7.4
-
cpe:2.3:a:apereo:opencast:7.5
-
cpe:2.3:a:apereo:opencast:8.0