7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2018-16153

GHSA ID

GHSA-hcxx-mp6g-6gr9

EPSS Score

0.45478%

CWE

CWE-200

Published

12/14/2021

Updated

12/14/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2018-16153

CVE-2018-16153:
Opencast publishes global system account credentials

The issue was mostly mitigated before, drastically reducing the risk. See references below for more information.

Impact

Opencast before version 10.6 will try to authenticate against any external services listed in a media package when it is trying to access the files, sending the global system user's credentials, regardless of the target being part of the Opencast cluster or not.

Previous mitigations already prevented clear text authentications for such requests (e.g. HTTP Basic authentication), but with enough malicious intent, even hashed credentials can be broken.

Patches

Opencast 10.6 will now send authentication requests only against servers which are part of the Opencast cluster, preventing external services from getting any form of authentication attempt in the first place.

Workarounds

No workaround available.

References

For more information

If you have any questions or comments about this advisory:

Open an issue in our issue tracker
Email us at security@opencast.org

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2018-16153

GHSA ID

GHSA-hcxx-mp6g-6gr9

EPSS Score

0.45478%

CWE

CWE-200

Published

12/14/2021

Updated

12/14/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.opencastproject:opencast-common	maven	< 10.6	10.6

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the original implementation of addContentToRepo which:

Used host-based regex matching (uri.getHost().matches(downloadSource)) to determine authentication
Created credentials provider with system-wide digest credentials
Sent these credentials to ANY matching host, regardless of cluster membership

The patch introduced cluster URL validation via organizationDirectoryService.getOrganization() and restricted credential usage to cluster members. The vulnerable function is clearly identified by the security fix that added cluster membership checks and split authentication handling into getAuthedHttpClient/getNoAuthHttpClient methods.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** issu* w*s mostly miti**t** ***or*, *r*sti**lly r**u*in* t** risk. S** r***r*n**s **low *or mor* in*orm*tion. ### Imp**t Op*n**st ***or* v*rsion **.* will try to *ut**nti**t* ***inst *ny *xt*rn*l s*rvi**s list** in * m**i* p**k*** w**n it is try

Reasoning

T** vuln*r**ility st*ms *rom t** ori*in*l impl*m*nt*tion o* ****ont*ntToR*po w*i**: *. Us** *ost-**s** r***x m*t**in* (uri.**t*ost().m*t***s(*ownlo**Sour**)) to **t*rmin* *ut**nti**tion *. *r**t** *r***nti*ls provi**r wit* syst*m-wi** *i**st *r***nt

7.5

Basic Information

Concerned about an active attack path?

CVE-2018-16153: Opencast publishes global system account credentials

Impact

Patches

Workarounds

References

For more information

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2018-16153:
Opencast publishes global system account credentials

Vulnerability Intelligence
Miggo AI