CVE-2020-5231: Opencast users with ROLE_COURSE_ADMIN can create new users
First published: Thu Jan 30 2020(Updated: )
In Opencast before 7.6 and 8.1, users with the role ROLE_COURSE_ADMIN can use the user-utils endpoint to create new users not including the role ROLE_ADMIN. ROLE_COURSE_ADMIN is a non-standard role in Opencast which is referenced neither in the documentation nor in any code (except for tests) but only in the security configuration. From the name – implying an admin for a specific course – users would never expect that this role allows user creation. This issue is fixed in 7.6 and 8.1 which both ship a new default security configuration.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apereo Opencast | <7.6 | |
| Apereo Opencast | =8.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID of this Opencast vulnerability?
The vulnerability ID of this Opencast vulnerability is CVE-2020-5231.
What is the severity of CVE-2020-5231?
The severity of CVE-2020-5231 is medium with a CVSS score of 6.5.
What is the affected software for CVE-2020-5231?
The affected software for CVE-2020-5231 is Apereo Opencast versions up to 7.6 and version 8.0.
What is the CWE category for CVE-2020-5231?
The CWE category for CVE-2020-5231 is CWE-276 and CWE-285.
How can I fix CVE-2020-5231?
To fix CVE-2020-5231, update your Opencast to version 7.6 or above, or version 8.1 or above.
- collector/nvd-index
- agent/weakness
- agent/type
- agent/references
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/author
- agent/title
- agent/remedy
- agent/severity
- agent/last-modified-date
- agent/tags
- agent/first-publish-date
- agent/description
- agent/event
- vendor/apereo
- canonical/apereo opencast
- version/apereo opencast/8.0