What is the vulnerability ID for Opencast?

The vulnerability ID for Opencast is CVE-2020-5229.

What is the severity of CVE-2020-5229?

The severity of CVE-2020-5229 is high, with a severity value of 8.1.

How does Opencast store passwords?

Opencast stores passwords using the outdated and insecure MD5 hash algorithm.

What does it mean for the hashes to collide in Opencast?

In Opencast, colliding hashes occur when users with the same username and password have identical password hashes, which can lead to security issues.

How can the vulnerability in Opencast be fixed?

The vulnerability in Opencast can be fixed by updating to version 8.1 or above, as this version addresses the issue of storing passwords using the insecure MD5 algorithm.

Vulnerability/
CVE-2020-5229

high

8.1

CWE

327

30/1/2020

4/8/2024

CVE-2020-5229: Opencast stores passwords using outdated MD5 hash algorithm

First published: Thu Jan 30 2020(Updated: )

Opencast before 8.1 stores passwords using the rather outdated and cryptographically insecure MD5 hash algorithm. Furthermore, the hashes are salted using the username instead of a random salt, causing hashes for users with the same username and password to collide which is problematic especially for popular users like the default `admin` user. This essentially means that for an attacker, it might be feasible to reconstruct a user's password given access to these hashes. Note that attackers needing access to the hashes means that they must gain access to the database in which these are stored first to be able to start cracking the passwords. The problem is addressed in Opencast 8.1 which now uses the modern and much stronger bcrypt password hashing algorithm for storing passwords. Note, that old hashes remain MD5 until the password is updated. For a list of users whose password hashes are stored using MD5, take a look at the `/user-utils/users/md5.json` REST endpoint.

Credit: security-advisories@github.com

Affected Software	Affected Version	How to fix
Apereo Opencast	<8.1

Remedy

https://github.com/opencast/opencast/commit/32bfbe5f78e214e2d589f92050228b91d704758e

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the vulnerability ID for Opencast?
The vulnerability ID for Opencast is CVE-2020-5229.
What is the severity of CVE-2020-5229?
The severity of CVE-2020-5229 is high, with a severity value of 8.1.
How does Opencast store passwords?
Opencast stores passwords using the outdated and insecure MD5 hash algorithm.
What does it mean for the hashes to collide in Opencast?
In Opencast, colliding hashes occur when users with the same username and password have identical password hashes, which can lead to security issues.
How can the vulnerability in Opencast be fixed?
The vulnerability in Opencast can be fixed by updating to version 8.1 or above, as this version addresses the issue of storing passwords using the insecure MD5 algorithm.

collector/nvd-index
agent/references
agent/type
agent/softwarecombine
collector/mitre-cve
source/MITRE
agent/author
agent/title
agent/remedy
agent/weakness
agent/severity
agent/last-modified-date
agent/tags
agent/first-publish-date
agent/description
agent/event
vendor/apereo
canonical/apereo opencast

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.