CVE-2020-5231
Description
In Opencast before 7.6 and 8.1, users with the role ROLE_COURSE_ADMIN can use the user-utils endpoint to create new users not including the role ROLE_ADMIN. ROLE_COURSE_ADMIN is a non-standard role in Opencast which is referenced neither in the documentation nor in any code (except for tests) but only in the security configuration. From the name implying an admin for a specific course users would never expect that this role allows user creation. This issue is fixed in 7.6 and 8.1 which both ship a new default security configuration.
Risk Information
Base Score
6.5
MODERATE
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
EPSS Score
Exploitation Probability
0.229
Associated Vulnerability
| Vulnerability | OS Platform |
|---|---|
| Vulnerabilities CVE-2020-5222,CVE-2020-5231,CVE-2020-5206 are fixed in Opencast-Project-opencast-kernel 7.6 | Windows |
| Vulnerabilities CVE-2020-5222,CVE-2020-5231,CVE-2020-5206 are fixed in Opencast-Project-opencast-kernel 8.1 | Windows |
| Vulnerabilities CVE-2020-5222,CVE-2020-5231,CVE-2020-5206 are fixed in Opencast-Project-opencast-kernel for Linux 7.6 | Linux |
| Vulnerabilities CVE-2020-5222,CVE-2020-5231,CVE-2020-5206 are fixed in Opencast-Project-opencast-kernel for Linux 8.1 | Linux |
Patch Details
No records foundReferences
https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234