6.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-5222

GHSA ID

GHSA-mh8g-hprg-8363

EPSS Score

0.492%

CWE

CWE-798

Published

1/30/2020

Updated

1/9/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-5222

CVE-2020-5222: Hard-Coded Key Used For Remember-me Token in Opencast

Impact

The security configuration in etc/security/mh_default_org.xml enables a remember-me cookie based on a hash created from the username, password, and an additional system key. Opencast has hard-coded this system key in the large XML file and never mentions to change this, basically ensuring that all systems use the same key:

<sec:remember-me key="opencast" user-service-ref="userDetailsService" />

This means that an attacker getting access to a remember-me token for one server can get access to all servers which allow log-in using the same credentials without ever needing the credentials. For example, a remember-me token obtained from develop.opencast.org can be used on stable.opencast.org without actually knowing the log-in credentials.

Such an attack will usually not work on different installations – assuming that safe, unique passwords are used – but it is basically guaranteed to work to get access to all machines of one cluster if a token from one machine is compromised.

Patches

This problem is fixed in Opencast 7.6 and Opencast 8.1

Workarounds

We strongly recommend updating to the patched version. Still, as a workaround for older versions, in etc/security/mh_default_org.xml, set a custom key for each server:

<sec:remember-me key="CUSTOM_RANDOM_KEY" user-service-ref="userDetailsService" />

References

For more information

If you have any questions or comments about this advisory:

Open an issue in opencast/opencast
For security-relevant information, email us at security@opencast.org

Thanks

Thanks to @LukasKalbertodt for reporting the issue.

(GitHub Advisory)

6.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-5222

GHSA ID

GHSA-mh8g-hprg-8363

EPSS Score

0.492%

CWE

CWE-798

Published

1/30/2020

Updated

1/9/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.opencastproject:opencast-kernel	maven	< 7.6	7.6
org.opencastproject:opencast-kernel	maven	>= 8.0, < 8.1	8.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from a hard-coded 'key' value in the Spring Security configuration file (etc/security/mh_default_org.xml), not from a specific code function. The XML configuration line <sec:remember-me key="opencast" ... /> statically defines the cryptographic key used for remember-me token generation. This key is shared across all installations, making tokens portable between systems. While the fix introduces a custom class (SystemTokenBasedRememberMeService) to dynamically generate the key, the vulnerability itself resides in the configuration setup rather than a specific code function. The original implementation used Spring's default TokenBasedRememberMeService with a static key, but this is part of the framework, not Opencast's code. Thus, no Opencast code functions are directly implicated with high confidence.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t T** s**urity *on*i*ur*tion in `*t*/s**urity/m*_****ult_or*.xml` *n**l*s * r*m*m**r-m* *ooki* **s** on * **s* *r**t** *rom t** [us*rn*m*, p*sswor*, *n* *n ***ition*l syst*m k*y](*ttps://*o*s.sprin*.io/sprin*-s**urity/sit*/*o*s/*.*.x/r***r*

Reasoning

T** vuln*r**ility st*ms *rom * **r*-*o*** 'k*y' v*lu* in t** Sprin* S**urity *on*i*ur*tion *il* (*t*/s**urity/m*_****ult_or*.xml), not *rom * sp**i*i* *o** *un*tion. T** XML *on*i*ur*tion lin* `<s**:r*m*m**r-m* k*y="op*n**st" ... />` st*ti**lly ***in

6.8

Basic Information

Concerned about an active attack path?

CVE-2020-5222: Hard-Coded Key Used For Remember-me Token in Opencast

Impact

Patches

Workarounds

References

For more information

Thanks

6.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI