7.7

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-5230

GHSA ID

GHSA-w29m-fjp4-qhmq

EPSS Score

0.55063%

CWE

CWE-99

Published

1/30/2020

Updated

1/9/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-5230

CVE-2020-5230: Unsafe Identifiers in Opencast

Impact

Opencast allows almost arbitrary identifiers for media packages and elements to be used. This can be problematic for operation and security since such identifiers are sometimes used for file system operations which may lead to an attacker being able to escape working directories and write files to other locations.

In addition, Opencast's Id.toString(…) vs Id.compact(…) behavior, the latter trying to mitigate some of the file system problems, can cause errors due to identifier mismatch since an identifier may unintentionally change.

Patches

This issue is fixed in Opencast 7.6 and 8.1.

Workarounds

There is no workaround for this.

For more information

If you have any questions or comments about this advisory:

Open an issue in opencast/opencast
For security-relevant information, email us at security@opencast.org

(GitHub Advisory)

7.7

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-5230

GHSA ID

GHSA-w29m-fjp4-qhmq

EPSS Score

0.55063%

CWE

CWE-99

Published

1/30/2020

Updated

1/9/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.opencastproject:base	maven	< 7.6	7.6
org.opencastproject:base	maven	>= 8.0, < 8.1	8.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The analysis focused on the changes made in the patches to identify functions related to the vulnerability. The modifications to IdImpl.java and IngestRestService.java indicate that the processing of identifiers is critical to the vulnerability. The functions identified are directly related to the handling or processing of potentially malicious input.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t Op*n**st *llows *lmost *r*itr*ry i**nti*i*rs *or m**i* p**k***s *n* *l*m*nts to ** us**. T*is **n ** pro*l*m*ti* *or op*r*tion *n* s**urity sin** su** i**nti*i*rs *r* som*tim*s us** *or *il* syst*m op*r*tions w*i** m*y l*** to *n *tt**k*r

Reasoning

T** *n*lysis *o*us** on t** ***n**s m*** in t** p*t***s to i**nti*y *un*tions r*l*t** to t** vuln*r**ility. T** mo*i*i**tions to `I*Impl.j*v*` *n* `In**stR*stS*rvi**.j*v*` in*i**t* t**t t** pro**ssin* o* i**nti*i*rs is *riti**l to t** vuln*r**ility.

7.7

Basic Information

Concerned about an active attack path?

CVE-2020-5230: Unsafe Identifiers in Opencast

Impact

Patches

Workarounds

For more information

7.7

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI