Critical severityNVD Advisory· Published Jan 30, 2020· Updated Aug 4, 2024
Authentication Bypass For Endpoints With Anonymous Access in OpenCast
CVE-2020-5206
Description
In Opencast before 7.6 and 8.1, using a remember-me cookie with an arbitrary username can cause Opencast to assume proper authentication for that user even if the remember-me cookie was incorrect given that the attacked endpoint also allows anonymous access. This way, an attacker can, for example, fake a remember-me token, assume the identity of the global system administrator and request non-public content from the search service without ever providing any proper authentication. This problem is fixed in Opencast 7.6 and Opencast 8.1
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.opencastproject:opencast-kernelMaven | < 7.6 | 7.6 |
org.opencastproject:opencast-kernelMaven | >= 8.0, < 8.1 | 8.1 |
Affected products
2Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-vmm6-w4cf-7f3xghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-5206ghsaADVISORY
- github.com/opencast/opencast/commit/b157e1fb3b35991ca7bf59f0730329fbe7ce82e8ghsax_refsource_MISCWEB
- github.com/opencast/opencast/security/advisories/GHSA-vmm6-w4cf-7f3xghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.