Privilege Escalation Vulnerability In Opencast 2.x
21 views
Skip to first unread message
Lars Kiesow
Jul 10, 2017, 7:56:51 AM7/10/17
to Opencast Security Notices
The Problem
-----------
In previous Opencast 2.x releases, anyone that can edit groups (in the
Admin UI, through the External API or through other REST endpoints) can:
- Add the role ROLE_ADMIN (or the customisable role for tenant
administrators) to any group
- Add users to groups that have ROLE_ADMIN (or the customisable role
for tenant administrators)
Once a user has ROLE_ADMIN, he has full access to not just all
functionality and content as provided by the Admin UI, but also the
REST endpoints.
Proposed Action
---------------
Essentially, only users with ROLE_ADMIN should be able to directly or
indirectly assign ROLE_ADMIN (or the customisable tenant admin role) to
a user. Only users with the customisable tenant admin role should be
able to directly or indirectly assign the customisable tenant admin
role to a user. All other users MUST NOT be able to directly or
indirectly assign ROLE_ADMIN or the customisable tenant admin role to a
user.
Affected Versions
-----------------
This issue affects all previous versions of Opencast 2.x
Fix Version
-----------
The issue has been fixed in Opencast 2.2.5, 2.3.1 and 3.0
Credits
-------
The issue was discovered by Sven Stauber (SWITCH) and has been fixed by
Waldemar Smirnow (ELAN e.V.) (contracted by SWITCH).
-----------
In previous Opencast 2.x releases, anyone that can edit groups (in the
Admin UI, through the External API or through other REST endpoints) can:
- Add the role ROLE_ADMIN (or the customisable role for tenant
administrators) to any group
- Add users to groups that have ROLE_ADMIN (or the customisable role
for tenant administrators)
Once a user has ROLE_ADMIN, he has full access to not just all
functionality and content as provided by the Admin UI, but also the
REST endpoints.
Proposed Action
---------------
Essentially, only users with ROLE_ADMIN should be able to directly or
indirectly assign ROLE_ADMIN (or the customisable tenant admin role) to
a user. Only users with the customisable tenant admin role should be
able to directly or indirectly assign the customisable tenant admin
role to a user. All other users MUST NOT be able to directly or
indirectly assign ROLE_ADMIN or the customisable tenant admin role to a
user.
Affected Versions
-----------------
This issue affects all previous versions of Opencast 2.x
Fix Version
-----------
The issue has been fixed in Opencast 2.2.5, 2.3.1 and 3.0
Credits
-------
The issue was discovered by Sven Stauber (SWITCH) and has been fixed by
Waldemar Smirnow (ELAN e.V.) (contracted by SWITCH).
Reply all
Reply to author
Forward
0 new messages