7.6

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-5228

GHSA ID

GHSA-6f54-3qr9-pjgj

EPSS Score

0.55916%

CWE

CWE-862

Published

1/30/2020

Updated

1/9/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-5228

CVE-2020-5228: Unauthenticated Access Via OAI-PMH

Impact

Media publication via OAI-PMH allows unauthenticated public access to all media and metadata by default. OAI-PMH is part of the default workflow and is activated by default, requiring active user intervention of users to protect media. This leads to users unknowingly handing out public access to events without their knowledge.

Patches

The problem has been addressed in Opencast 7.6 and 8.1 where the OAI-PMH endpoint is configured to require users with ROLE_ADMIN by default. In addition to this, Opencast 9 removes the OAI-PMH publication from the default workflow, making the publication a conscious decision users have to make by updating their workflows.

Workarounds

In the organization security configuration (etc/security/mh_default_org.xml), change the roles required for accessing /oaipmh from ROLE_ANONYMOUS to ROLE_ADMIN.

References

Public access configuration in the organization's security configuration

For more information

If you have any questions or comments about this advisory:

Open an issue in opencast/opencast
For security-relevant information, email us at security@opencast.org

(GitHub Advisory)

7.6

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-5228

GHSA ID

GHSA-6f54-3qr9-pjgj

EPSS Score

0.55916%

CWE

CWE-862

Published

1/30/2020

Updated

1/9/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.opencastproject:opencast-oaipmh-api	maven	< 7.6	7.6
org.opencastproject:opencast-oaipmh-api	maven	>= 8.0, < 8.1	8.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from Spring Security configurations allowing unauthenticated access to /oaipmh endpoints. While no Java code changes were shown in the provided patches, the OaiPmhServlet (or equivalent request handler) would be the entry point processing these requests. The security configuration change from ROLE_ANONYMOUS to ROLE_ADMIN in mh_default_org.xml indicates that the corresponding request handler was previously executable without authentication, making it the vulnerable component observable in runtime profiles when exploited.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t M**i* pu*li**tion vi* O*I-PM* *llows un*ut**nti**t** pu*li* ****ss to *ll m**i* *n* m*t***t* *y ****ult. O*I-PM* is p*rt o* t** ****ult work*low *n* is **tiv*t** *y ****ult, r*quirin* **tiv* us*r int*rv*ntion o* us*rs to prot**t m**i*. T*

Reasoning

T** vuln*r**ility st*mm** *rom Sprin* S**urity *on*i*ur*tions *llowin* un*ut**nti**t** ****ss to /o*ipm* *n*points. W*il* no J*v* *o** ***n**s w*r* s*own in t** provi*** p*t***s, t** O*iPm*S*rvl*t (or *quiv*l*nt r*qu*st **n*l*r) woul* ** t** *ntry po

7.6

Basic Information

Concerned about an active attack path?

CVE-2020-5228: Unauthenticated Access Via OAI-PMH

Impact

Patches

Workarounds

References

For more information

7.6

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI