CVE-2020-5206

In Opencast before 7.6 and 8.1, using a remember-me cookie with an arbitrary username can cause Opencast to assume proper authentication for that user even if the remember-me cookie was incorrect given that the attacked endpoint also allows anonymous access. This way, an attacker can, for example, fake a remember-me token, assume the identity of the global system administrator and request non-public content from the search service without ever providing any proper authentication. This problem is fixed in Opencast 7.6 and Opencast 8.1

Published: Jan 30, 2020
Updated: May 9, 2024
CVE: CVE-2020-5206
GHSA: GHSA-vmm6-w4cf-7f3x
Severity: Critical
Exploit:

CVSS v3:

Severity: Critical
Score: 10
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

CVSS v2:

Severity: Medium
Score: 6.4
AV:N/AC:L/Au:N/C:P/I:P/A:N

CWEs:

OWASP TOP 10:

Affected Software
References

Software	From	Fixed in
apereo / opencast	8.0	8.0.x
apereo / opencast	-	7.6
org.opencastproject / opencast-kernel	-	7.6
org.opencastproject / opencast-kernel	8.0	8.1

Vulnerability Database

CVE-2020-5206