[CVE-2018-16154] Opencast publicly publishes credentials for all tenant CA users
5 views
Skip to first unread message
Lars Kiesow
Dec 10, 2018, 3:41:35 PM12/10/18
to security...@opencast.org
This is the official security notice regarding a security issue
recently discovered in the development branch of Opencast. This issue
does not affect any released version.
Tracked as:
CVE-2018-16154
Description:
Insufficiently protected credentials of capture agent users in
Apereo Opencast 6.x (development version) allow anyone to retrieve
valid user credentials via public REST API.
Affects:
This issue affects the development version of Opencast 6 starting
from 2018-04-18 to 2018-11-15 (introduced with commit 135922e9b,
resolved by commit ef1e42739b).
Details:
Opencast 6 introduces organization (tenant) specific capture agent
user to limit the access rights granted to capture agents by
default.
A mistake in the way this was implemented led to the public
disclosure of the credentials for these users, meaning that everyone
with access via web could request their usernames and passwords. No
authentication required.
These users are not configured by default. Hence, this only affects
installations which explicitly configured these users.
Patching the system:
Patches for this issue can be found as commit ef1e42739b. This is
included in Opencast 6.0. Note that this patch deactivates the
feature for 6.x. The feature will be reintroduced in 7.0.
recently discovered in the development branch of Opencast. This issue
does not affect any released version.
Tracked as:
CVE-2018-16154
Description:
Insufficiently protected credentials of capture agent users in
Apereo Opencast 6.x (development version) allow anyone to retrieve
valid user credentials via public REST API.
Affects:
This issue affects the development version of Opencast 6 starting
from 2018-04-18 to 2018-11-15 (introduced with commit 135922e9b,
resolved by commit ef1e42739b).
Details:
Opencast 6 introduces organization (tenant) specific capture agent
user to limit the access rights granted to capture agents by
default.
A mistake in the way this was implemented led to the public
disclosure of the credentials for these users, meaning that everyone
with access via web could request their usernames and passwords. No
authentication required.
These users are not configured by default. Hence, this only affects
installations which explicitly configured these users.
Patching the system:
Patches for this issue can be found as commit ef1e42739b. This is
included in Opencast 6.0. Note that this patch deactivates the
feature for 6.x. The feature will be reintroduced in 7.0.
Reply all
Reply to author
Forward
0 new messages