Minor Security Issue In User REST Endpoint
17 views
Skip to first unread message
Lars Kiesow
Dec 8, 2015, 9:34:01 AM12/8/15
to security...@opencast.org
Hello,
this is the official security notice regarding a minor security issue
recently discovered in Opencast 2.x
Description:
This issue might add an additional ROLE_ANONYMOUS to a newly created
user if using the user-utils REST endpint.
Affects:
This issue affects all set-ups of Opencast >= 2.0. It might only
affect you if you create users directly through the user-utils REST
endpoint.
Details:
There has been an issue with the user-utils REST endpoint which,
given and empty field for roles, might assign an unwanted additional
ROLE_ANONYMOUS to a newly created user.
The chances that this actually effects any user is quite low since
the UI would send just the correct kind of data for this not to
happen and if this happens, a user would only gain ROLE-ANONYMOUS
which has no additional privileges in a default set-up.
Patching the system:
Patches for this issue will be included in Opencast 2.0.2 and
Opencast 2.1.0. There will be no additional security release for
2.0.x since this issue does not allow direct attacks on Opencast.
Patches for this issue, including additional error handling for the
whole enpdoint can already be found at:
2.0.x:
https://bitbucket.org/opencast-community/matterhorn/pull-requests/741
2.1.x:
https://bitbucket.org/opencast-community/matterhorn/pull-requests/729
Best regards,
Lars Kiesow
this is the official security notice regarding a minor security issue
recently discovered in Opencast 2.x
Description:
This issue might add an additional ROLE_ANONYMOUS to a newly created
user if using the user-utils REST endpint.
Affects:
This issue affects all set-ups of Opencast >= 2.0. It might only
affect you if you create users directly through the user-utils REST
endpoint.
Details:
There has been an issue with the user-utils REST endpoint which,
given and empty field for roles, might assign an unwanted additional
ROLE_ANONYMOUS to a newly created user.
The chances that this actually effects any user is quite low since
the UI would send just the correct kind of data for this not to
happen and if this happens, a user would only gain ROLE-ANONYMOUS
which has no additional privileges in a default set-up.
Patching the system:
Patches for this issue will be included in Opencast 2.0.2 and
Opencast 2.1.0. There will be no additional security release for
2.0.x since this issue does not allow direct attacks on Opencast.
Patches for this issue, including additional error handling for the
whole enpdoint can already be found at:
2.0.x:
https://bitbucket.org/opencast-community/matterhorn/pull-requests/741
2.1.x:
https://bitbucket.org/opencast-community/matterhorn/pull-requests/729
Best regards,
Lars Kiesow
Reply all
Reply to author
Forward
0 new messages