CVE-2018-16153: Opencast publishes global system account credentials
7.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.45478%
CWE
Published
12/14/2021
Updated
12/14/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
org.opencastproject:opencast-common | maven | < 10.6 | 10.6 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from the original implementation of addContentToRepo which:
- Used host-based regex matching (uri.getHost().matches(downloadSource)) to determine authentication
- Created credentials provider with system-wide digest credentials
- Sent these credentials to ANY matching host, regardless of cluster membership
The patch introduced cluster URL validation via organizationDirectoryService.getOrganization() and restricted credential usage to cluster members. The vulnerable function is clearly identified by the security fix that added cluster membership checks and split authentication handling into getAuthedHttpClient/getNoAuthHttpClient methods.