CVE-2022-29237

EPSS 0.14%
Published 24.05.2022 15:15:08
Last modified 21.11.2024 06:58:46
Source security-advisories@github.com
Teams watchlist Login
Open Login

Opencast is a free and open source solution for automated video capture and distribution at scale. Prior to Opencast 10.14 and 11.7, users could pass along URLs for files belonging to organizations other than the user's own, which Opencast would then import into the current organization, bypassing organizational barriers. Attackers must have full access to Opencast's ingest REST interface, and also know internal links to resources in another organization of the same Opencast cluster. Users who do not run a multi-tenant cluster are not affected by this issue. This issue is fixed in Opencast 10.14 and 11.7.

Affected products Warnungen 0 Metrics 4 CWE 1 References 5

Data is provided by the National Vulnerability Database (NVD)

Apereo ≫ Opencast Version < 10.14

Apereo ≫ Opencast Version >= 11.0 < 11.7

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.14%	0.345

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	5.4	2.8	2.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
nvd@nist.gov	5.5	8	4.9	AV:N/AC:L/Au:S/C:P/I:P/A:N
security-advisories@github.com	5.4	2.8	2.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

https://github.com/opencast/opencast/commit/8d5ec1614eed109b812bc27b0c6d3214e456d4e7

Patch

Third Party Advisory

https://github.com/opencast/opencast/security/advisories/GHSA-qm6v-cg9v-53j3

Patch

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2022-29237

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-29237

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-29237

EUVD