CVE-2020-5230

Opencast before 8.1 and 7.6 allows almost arbitrary identifiers for media packages and elements to be used. This can be problematic for operation and security since such identifiers are sometimes used for file system operations which may lead to an attacker being able to escape working directories and write files to other locations. In addition, Opencast's Id.toString(…) vs Id.compact(…) behavior, the latter trying to mitigate some of the file system problems, can cause errors due to identifier mismatch since an identifier may unintentionally change. This issue is fixed in Opencast 7.6 and 8.1.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:apereo:opencast:*:*:*:*:*:*:*:*
cpe:2.3:a:apereo:opencast:8.0:*:*:*:*:*:*:*

History

21 Nov 2024, 05:33

Type Values Removed Values Added
CVSS v2 : 5.0
v3 : 7.5
v2 : 5.0
v3 : 7.7
References () https://github.com/opencast/opencast/commit/bbb473f34ab95497d6c432c81285efb0c739f317 - Patch () https://github.com/opencast/opencast/commit/bbb473f34ab95497d6c432c81285efb0c739f317 - Patch
References () https://github.com/opencast/opencast/security/advisories/GHSA-w29m-fjp4-qhmq - Third Party Advisory () https://github.com/opencast/opencast/security/advisories/GHSA-w29m-fjp4-qhmq - Third Party Advisory

Information

Published : 2020-01-30 21:15

Updated : 2024-11-21 05:33


NVD link : CVE-2020-5230

Mitre link : CVE-2020-5230

CVE.ORG link : CVE-2020-5230


JSON object : View

Products Affected

apereo

  • opencast
CWE
CWE-99

Improper Control of Resource Identifiers ('Resource Injection')

CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')