CVE-2020-5206: Improper Authentication

January 30, 2020 (updated February 5, 2020)

In Opencast using a remember-me cookie with an arbitrary username can cause Opencast to assume proper authentication for that user even if the remember-me cookie was incorrect given that the attacked endpoint also allows anonymous access. This way, an attacker can, for example, fake a remember-me token, assume the identity of the global system administrator and request non-public content from the search service without ever providing any proper authentication.

References

nvd.nist.gov/vuln/detail/CVE-2020-5206

Detect and mitigate CVE-2020-5206 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →