Vulnerability Details CVE-2020-5231
In Opencast before 7.6 and 8.1, users with the role ROLE_COURSE_ADMIN can use the user-utils endpoint to create new users not including the role ROLE_ADMIN. ROLE_COURSE_ADMIN is a non-standard role in Opencast which is referenced neither in the documentation nor in any code (except for tests) but only in the security configuration. From the name – implying an admin for a specific course – users would never expect that this role allows user creation. This issue is fixed in 7.6 and 8.1 which both ship a new default security configuration.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 45.7%
CVSS Severity
CVSS v3 Score 4.8
CVSS v2 Score 4.0
References
- https://github.com/opencast/opencast/commit/72fad0031d8a82c860e2bde0b27570c5042320ee
- https://github.com/opencast/opencast/security/advisories/GHSA-94qw-r73x-j7hg
- https://github.com/opencast/opencast/commit/72fad0031d8a82c860e2bde0b27570c5042320ee
- https://github.com/opencast/opencast/security/advisories/GHSA-94qw-r73x-j7hg
Products affected by CVE-2020-5231
-
cpe:2.3:a:apereo:opencast:1.3.0
-
cpe:2.3:a:apereo:opencast:1.3.1
-
cpe:2.3:a:apereo:opencast:1.4
-
cpe:2.3:a:apereo:opencast:1.4.1
-
cpe:2.3:a:apereo:opencast:1.4.2
-
cpe:2.3:a:apereo:opencast:1.4.3
-
cpe:2.3:a:apereo:opencast:1.4.4
-
cpe:2.3:a:apereo:opencast:1.5.0
-
cpe:2.3:a:apereo:opencast:1.5.1
-
cpe:2.3:a:apereo:opencast:1.6.0
-
cpe:2.3:a:apereo:opencast:1.6.1
-
cpe:2.3:a:apereo:opencast:1.6.2
-
cpe:2.3:a:apereo:opencast:1.6.3
-
cpe:2.3:a:apereo:opencast:2.0.0
-
cpe:2.3:a:apereo:opencast:2.0.1
-
cpe:2.3:a:apereo:opencast:2.0.2
-
cpe:2.3:a:apereo:opencast:2.1.0
-
cpe:2.3:a:apereo:opencast:2.1.1
-
cpe:2.3:a:apereo:opencast:2.1.2
-
cpe:2.3:a:apereo:opencast:2.2.0
-
cpe:2.3:a:apereo:opencast:2.2.1
-
cpe:2.3:a:apereo:opencast:2.2.2
-
cpe:2.3:a:apereo:opencast:2.2.3
-
cpe:2.3:a:apereo:opencast:2.2.4
-
cpe:2.3:a:apereo:opencast:2.2.5
-
cpe:2.3:a:apereo:opencast:2.3.0
-
cpe:2.3:a:apereo:opencast:2.3.1
-
cpe:2.3:a:apereo:opencast:2.3.2
-
cpe:2.3:a:apereo:opencast:2.3.3
-
cpe:2.3:a:apereo:opencast:2.3.4
-
cpe:2.3:a:apereo:opencast:2.3.5
-
cpe:2.3:a:apereo:opencast:3.0
-
cpe:2.3:a:apereo:opencast:3.1
-
cpe:2.3:a:apereo:opencast:3.2
-
cpe:2.3:a:apereo:opencast:3.3
-
cpe:2.3:a:apereo:opencast:3.4
-
cpe:2.3:a:apereo:opencast:3.5
-
cpe:2.3:a:apereo:opencast:3.6
-
cpe:2.3:a:apereo:opencast:3.7
-
cpe:2.3:a:apereo:opencast:4.0
-
cpe:2.3:a:apereo:opencast:4.1
-
cpe:2.3:a:apereo:opencast:4.2
-
cpe:2.3:a:apereo:opencast:4.3
-
cpe:2.3:a:apereo:opencast:4.4
-
cpe:2.3:a:apereo:opencast:4.5
-
cpe:2.3:a:apereo:opencast:5.0
-
cpe:2.3:a:apereo:opencast:5.1
-
cpe:2.3:a:apereo:opencast:5.2
-
cpe:2.3:a:apereo:opencast:5.3
-
cpe:2.3:a:apereo:opencast:5.4
-
cpe:2.3:a:apereo:opencast:5.5
-
cpe:2.3:a:apereo:opencast:6.0
-
cpe:2.3:a:apereo:opencast:6.1
-
cpe:2.3:a:apereo:opencast:6.2
-
cpe:2.3:a:apereo:opencast:6.3
-
cpe:2.3:a:apereo:opencast:6.4
-
cpe:2.3:a:apereo:opencast:6.5
-
cpe:2.3:a:apereo:opencast:6.6
-
cpe:2.3:a:apereo:opencast:6.7
-
cpe:2.3:a:apereo:opencast:7.0
-
cpe:2.3:a:apereo:opencast:7.1
-
cpe:2.3:a:apereo:opencast:7.2
-
cpe:2.3:a:apereo:opencast:7.3
-
cpe:2.3:a:apereo:opencast:7.4
-
cpe:2.3:a:apereo:opencast:7.5
-
cpe:2.3:a:apereo:opencast:8.0