8.7

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-5206

GHSA ID

GHSA-vmm6-w4cf-7f3x

EPSS Score

0.52492%

CWE

CWE-285

Published

1/30/2020

Updated

1/9/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-5206

CVE-2020-5206: Authentication Bypass For Endpoints With Anonymous Access in Opencast

Impact

Using a remember-me cookie with an arbitrary username can cause Opencast to assume proper authentication for that user even if the remember-me cookie was incorrect given that the attacked endpoint also allows anonymous access.

This way, an attacker can, for example, fake a remember-me token, assume the identity of the global system administrator and request non-public content from the search service without ever providing any proper authentication.

Patches

This problem is fixed in Opencast 7.6 and Opencast 8.1

Workarounds

As a workaround for older, unpatched versions, disabling remember-me cookies in etc/security/mh_default_org.xml will mitigate the problem but will obviously also disable this feature without obvious indication. To deactivate this, remove the following line from the security configuration:

<sec:remember-me … />

References

Remember-me cookie in the security configuration file

For more information

If you have any questions or comments about this advisory:

Open an issue in opencast/opencast
For security-relevant information, email us at security@opencast.org

(GitHub Advisory)

8.7

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-5206

GHSA ID

GHSA-vmm6-w4cf-7f3x

EPSS Score

0.52492%

CWE

CWE-285

Published

1/30/2020

Updated

1/9/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.opencastproject:opencast-kernel	maven	< 7.6	7.6
org.opencastproject:opencast-kernel	maven	>= 8.0, < 8.1	8.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper order of authentication checks in the getUser() method. The patched commit (b157e1f) adds an early check for AnonymousAuthenticationToken, indicating the original code processed remember-me cookies even when anonymous access was allowed. The vulnerable function handles authentication state by first checking delegated users, then falling back to security context without proper anonymous access validation, enabling the bypass scenario described in the advisory.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t Usin* * r*m*m**r-m* *ooki* wit* *n *r*itr*ry us*rn*m* **n **us* Op*n**st to *ssum* prop*r *ut**nti**tion *or t**t us*r *v*n i* t** r*m*m**r-m* *ooki* w*s in*orr**t *iv*n t**t t** *tt**k** *n*point *lso *llows *nonymous ****ss. T*is w*y,

Reasoning

T** vuln*r**ility st*ms *rom improp*r or**r o* *ut**nti**tion ****ks in t** `**tUs*r()` m*t*o*. T** p*t**** *ommit (*******) ***s *n **rly ****k *or `*nonymous*ut**nti**tionTok*n`, in*i**tin* t** ori*in*l *o** pro**ss** r*m*m**r-m* *ooki*s *v*n w**n

8.7

Basic Information

Concerned about an active attack path?

CVE-2020-5206: Authentication Bypass For Endpoints With Anonymous Access in Opencast

Impact

Patches

Workarounds

References

For more information

8.7

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI