LTI user provider may allow LMS admins to become Opencast admins
21 views
Skip to first unread message
Greg Logan
May 31, 2018, 1:43:02 PM5/31/18
to security...@opencast.org
Hello,
this is the official security notice regarding a security issue
recently discovered in Opencast versions earlier than 3.5, and 4.3.
Description:
LTI users with privileged names in Opencast may be granted
inappropriate
roles within Opencast.
Affects:
This issue affects Opencast versions earlier than 3.5, and 4.3.
Details:
Opencast blindly trusts the username provided by LTI, furnishing the
logged
in user with all of its normal Opencast roles. This allows users
such as
'admin' or 'opencast_system_account' to be logged in inappropriately
in some
cases. This issue has been filed at:
https://opencast.jira.com/browse/MH-12840
Patching the system:
Patches for this issue are included in Opencast 3.6, and 4.4.
Credits:
This issue was discovered and fixed by Matthias Neugebauer
(University of Munster)
this is the official security notice regarding a security issue
recently discovered in Opencast versions earlier than 3.5, and 4.3.
Description:
LTI users with privileged names in Opencast may be granted
inappropriate
roles within Opencast.
Affects:
This issue affects Opencast versions earlier than 3.5, and 4.3.
Details:
Opencast blindly trusts the username provided by LTI, furnishing the
logged
in user with all of its normal Opencast roles. This allows users
such as
'admin' or 'opencast_system_account' to be logged in inappropriately
in some
cases. This issue has been filed at:
https://opencast.jira.com/browse/MH-12840
Patching the system:
Patches for this issue are included in Opencast 3.6, and 4.4.
Credits:
This issue was discovered and fixed by Matthias Neugebauer
(University of Munster)
Reply all
Reply to author
Forward
0 new messages