What is CVE-2020-5206?

CVE-2020-5206 is a vulnerability in Opencast versions before 7.6 and 8.1 that allows an attacker to assume proper authentication for a user by using a remember-me cookie with an arbitrary username.

How severe is CVE-2020-5206?

CVE-2020-5206 has a severity score of 10 out of 10, making it critical.

Which versions of Opencast are affected by CVE-2020-5206?

Opencast versions before 7.6 and 8.1 are affected by CVE-2020-5206.

How can an attacker exploit CVE-2020-5206?

An attacker can exploit CVE-2020-5206 by using a remember-me cookie with an arbitrary username, causing Opencast to assume proper authentication for that user.

Are there any available patches or fixes for CVE-2020-5206?

Yes, Opencast has released patches for CVE-2020-5206. It is recommended to update to Opencast version 7.6 or 8.1 to fix this vulnerability.

Vulnerability/
CVE-2020-5206

critical

CWE

287 285

30/1/2020

4/8/2024

CVE-2020-5206: Authentication Bypass For Endpoints With Anonymous Access in OpenCast

First published: Thu Jan 30 2020(Updated: )

In Opencast before 7.6 and 8.1, using a remember-me cookie with an arbitrary username can cause Opencast to assume proper authentication for that user even if the remember-me cookie was incorrect given that the attacked endpoint also allows anonymous access. This way, an attacker can, for example, fake a remember-me token, assume the identity of the global system administrator and request non-public content from the search service without ever providing any proper authentication. This problem is fixed in Opencast 7.6 and Opencast 8.1

Credit: security-advisories@github.com

Affected Software	Affected Version	How to fix
Apereo Opencast	<7.6
Apereo Opencast	=8.0

Remedy

https://github.com/opencast/opencast/commit/b157e1fb3b35991ca7bf59f0730329fbe7ce82e8

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2020-5206?
CVE-2020-5206 is a vulnerability in Opencast versions before 7.6 and 8.1 that allows an attacker to assume proper authentication for a user by using a remember-me cookie with an arbitrary username.
How severe is CVE-2020-5206?
CVE-2020-5206 has a severity score of 10 out of 10, making it critical.
Which versions of Opencast are affected by CVE-2020-5206?
Opencast versions before 7.6 and 8.1 are affected by CVE-2020-5206.
How can an attacker exploit CVE-2020-5206?
An attacker can exploit CVE-2020-5206 by using a remember-me cookie with an arbitrary username, causing Opencast to assume proper authentication for that user.
Are there any available patches or fixes for CVE-2020-5206?
Yes, Opencast has released patches for CVE-2020-5206. It is recommended to update to Opencast version 7.6 or 8.1 to fix this vulnerability.

collector/nvd-index
agent/references
agent/weakness
agent/type
agent/softwarecombine
collector/mitre-cve
source/MITRE
agent/title
agent/remedy
agent/author
agent/severity
agent/last-modified-date
agent/tags
agent/description
agent/first-publish-date
agent/event
vendor/apereo
canonical/apereo opencast
version/apereo opencast/8.0

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.