Miggo Logo

CVE-2018-16153: Opencast publishes global system account credentials

7.5

CVSS Score
3.1

Basic Information

EPSS Score
0.45478%
Published
12/14/2021
Updated
12/14/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.opencastproject:opencast-commonmaven< 10.610.6

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the original implementation of addContentToRepo which:

  1. Used host-based regex matching (uri.getHost().matches(downloadSource)) to determine authentication
  2. Created credentials provider with system-wide digest credentials
  3. Sent these credentials to ANY matching host, regardless of cluster membership

The patch introduced cluster URL validation via organizationDirectoryService.getOrganization() and restricted credential usage to cluster members. The vulnerable function is clearly identified by the security fix that added cluster membership checks and split authentication handling into getAuthedHttpClient/getNoAuthHttpClient methods.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** issu* w*s mostly miti**t** ***or*, *r*sti**lly r**u*in* t** risk. S** r***r*n**s **low *or mor* in*orm*tion. ### Imp**t Op*n**st ***or* v*rsion **.* will try to *ut**nti**t* ***inst *ny *xt*rn*l s*rvi**s list** in * m**i* p**k*** w**n it is try

Reasoning

T** vuln*r**ility st*ms *rom t** ori*in*l impl*m*nt*tion o* ****ont*ntToR*po w*i**: *. Us** *ost-**s** r***x m*t**in* (uri.**t*ost().m*t***s(*ownlo**Sour**)) to **t*rmin* *ut**nti**tion *. *r**t** *r***nti*ls provi**r wit* syst*m-wi** *i**st *r***nt