Advisories for Maven/Org.opencastproject/Opencast-Kernel package

2022

URL Redirection to Untrusted Site ('Open Redirect')

Opencast is a free, open-source platform to support the management of educational audio and video content. Prior to Opencast 12.5, Opencast's Paella authentication page could be used to redirect to an arbitrary URL for authenticated users. The vulnerability allows attackers to redirect users to sites outside of one's Opencast install, potentially facilitating phishing attacks or other security issues. This issue is fixed in Opencast 12.5 and newer.

Improper Authentication

Opencast is a free and open source solution for automated video capture and distribution at scale. Prior to Opencast 10.14 and 11.7, users could pass along URLs for files belonging to organizations other than the user's own, which Opencast would then import into the current organization, bypassing organizational barriers. Attackers must have full access to Opencast's ingest REST interface, and also know internal links to resources in another organization of …

2021

Incorrect Authorization

Opencast is a free, open-source platform to support the management of educational audio and video content.On removal of an episode, this may lead to an access control list for series metadata with broader access rules than the merged access rules of all remaining events, or the series metadata still being available although all episodes of that series have been removed.

2020

Use of Hard-coded Credentials

Opencast enables a remember-me cookie based on a hash created from the username, password, and an additional system key. This means that an attacker getting access to a remember-me token for one server can get access to all servers which allow log-in using the same credentials without ever needing the credentials.

Use of a Broken or Risky Cryptographic Algorithm

Opencast stores passwords using the outdated and cryptographically insecure MD5 hash algorithm. Password hashes are salted using the username instead of a random salt, causing hashes for users with the same username and password to collide. This is problematic especially for common users like the default admin user. This means that for an attacker it might be feasible to reconstruct a user's password given access to these hashes. Note that …

Incorrect Default Permissions

In Opencast before 7.6 and 8.1, users with the role ROLE_COURSE_ADMIN can use the user-utils endpoint to create new users not including the role ROLE_ADMIN. ROLE_COURSE_ADMIN is a non-standard role in Opencast which is referenced neither in the documentation nor in any code (except for tests) but only in the security configuration. From the name – implying an admin for a specific course – users would never expect that this …

Improper Authentication

In Opencast using a remember-me cookie with an arbitrary username can cause Opencast to assume proper authentication for that user even if the remember-me cookie was incorrect given that the attacked endpoint also allows anonymous access. This way, an attacker can, for example, fake a remember-me token, assume the identity of the global system administrator and request non-public content from the search service without ever providing any proper authentication.

2017