Medium severity6.5NVD Advisory· Published Nov 17, 2017· Updated May 13, 2026

CVE-2017-1000221

Description

In Opencast 2.2.3 and older if user names overlap, the Opencast search service used for publication to the media modules and players will handle the access control incorrectly so that users only need to match part of the user name used for the access restriction. For example, a user with the role ROLE_USER will have access to recordings published only for ROLE_USER_X.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.opencastproject:opencast-kernelMaven	< 2.2.4	2.2.4

Affected products

Apereo/Opencast
cpe:2.3:a:apereo:opencast:*:*:*:*:*:*:*:*
Range: <=2.2.3

Patches

f1abcaf998a4

MH-11862, Fix Solr role handling

https://github.com/opencast/opencastMatthias NeugebauerNov 16, 2016via ghsa

commit

2 files changed · +2 −2

modules/matterhorn-search-service-impl/src/main/java/org/opencastproject/search/impl/solr/SolrIndexManager.java+1 −1 modified

@@ -675,7 +675,7 @@ static void setAuthorization(SolrInputDocument doc, SecurityService securityServ
 
     // Write the permissions to the solr document
     for (Map.Entry<String, List<String>> entry : permissions.entrySet()) {
-      Schema.setOcAcl(doc, new DField<String>(mkString(entry.getValue(), ","), entry.getKey()));
+      Schema.setOcAcl(doc, new DField<String>(mkString(entry.getValue(), " "), entry.getKey()));
     }
   }

modules/matterhorn-search-service-impl/src/main/resources/solr/conf/schema.xml+1 −1 modified

@@ -308,7 +308,7 @@
     <field name="fulltext" type="text" indexed="true" stored="false" multiValued="true"/>
 
     <!-- Authorization fields -->
-    <dynamicField name="oc_acl_*"  type="text" indexed="true"  stored="true" />
+    <dynamicField name="oc_acl_*" type="text_ws" indexed="true" stored="true" />
   </fields>
 
   <!-- Field to use to determine and enforce document uniqueness.

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

opencast.jira.com/browse/MH-11862nvdExploitIssue TrackingVendor AdvisoryWEB
github.com/advisories/GHSA-hx44-c87v-p6xgghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2017-1000221ghsaADVISORY
github.com/opencast/opencast/commit/f1abcaf998a469a2081461e0e3b4211927849439ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.423
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000