[VE-2018-19899] Incorrect Access Control in Asset Manager
5 views
Skip to first unread message
Lars Kiesow
Dec 10, 2018, 3:37:25 PM12/10/18
to security...@opencast.org
This is the official security notice regarding a security issue
recently discovered in all asset manager based versions of Opencast.
Tracked as:
CVE-2018-19899
Description:
Invalid access control in the asset manager in Opencast 4.x and 5.x
allows full read and write access to all assets within an
organization for users with access to the REST interfaces.
Affects:
This issue affects Opencast ≤ 5.2.
Details:
When creating a new asset manager snapshot, the access control list
used for verifying the privileges of the user attempting the action
is provided by the same user, right in the request. So there is no
actual security at all for this action.
This allows user to set new access control rules for any assets,
allowing them full access to all other functions regarding that
asset.
Patching the system:
Patches for this issue can be found as commit fd2db19 [1]. This patch
is included in Opencast 6.0 and will be in 5.3 which is scheduled to
be released in the next weeks.
[1] https://github.com/opencast/opencast/commit/fd2db19
recently discovered in all asset manager based versions of Opencast.
Tracked as:
CVE-2018-19899
Description:
Invalid access control in the asset manager in Opencast 4.x and 5.x
allows full read and write access to all assets within an
organization for users with access to the REST interfaces.
Affects:
This issue affects Opencast ≤ 5.2.
Details:
When creating a new asset manager snapshot, the access control list
used for verifying the privileges of the user attempting the action
is provided by the same user, right in the request. So there is no
actual security at all for this action.
This allows user to set new access control rules for any assets,
allowing them full access to all other functions regarding that
asset.
Patching the system:
Patches for this issue can be found as commit fd2db19 [1]. This patch
is included in Opencast 6.0 and will be in 5.3 which is scheduled to
be released in the next weeks.
[1] https://github.com/opencast/opencast/commit/fd2db19
Reply all
Reply to author
Forward
0 new messages