4.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-5231

GHSA ID

GHSA-94qw-r73x-j7hg

EPSS Score

0.45769%

CWE

CWE-285

Published

1/30/2020

Updated

1/9/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-5231

CVE-2020-5231: Users with ROLE_COURSE_ADMIN can create new users in Opencast

Impact

Users with the role ROLE_COURSE_ADMIN can use the user-utils endpoint to create new users not including the role ROLE_ADMIN. For example:

# Use the admin to create a new user with ROLE_COURSE_ADMIN using the admin user.
# We expect this to work.
% curl -i -u admin:opencast 'https://example.opencast.org/user-utils/xy.json' -X PUT \
  --data 'password=f&roles=%5B%22ROLE_COURSE_ADMIN%22%5D'
HTTP/2 201

# Use the new user to create more new users.
# We don't expüect a user with just role ROLE_COURSE_ADMIN to succeed.
# But it does work
% curl -i -u xy:f 'https://example.opencast.org/user-utils/ab.json' -X PUT \
  --data 'password=f&roles=%5B%22ROLE_COURSE_ADMIN%22%5D'
HTTP/2 201

ROLE_COURSE_ADMIN is a non-standard role in Opencast which is referenced neither in the documentation nor in any code (except for tests) but only in the security configuration. From the name – implying an admin for a specific course – users would never expect that this role allows user creation.

Patches

This issue is fixed in 7.6 and 8.1 which both ship a new default security configuration.

Workarounds

You can fix this issue by removing all instances of ROLE_COURSE_ADMIN in your organization's security configuration (etc/security/mh_default_org.xml by default).

For more information

If you have any questions or comments about this advisory:

Open an issue in opencast/opencast
For security-relevant information, email us at security@opencast.org

(GitHub Advisory)

4.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-5231

GHSA ID

GHSA-94qw-r73x-j7hg

EPSS Score

0.45769%

CWE

CWE-285

Published

1/30/2020

Updated

1/9/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.opencastproject:opencast-kernel	maven	< 7.6	7.6
org.opencastproject:opencast-kernel	maven	>= 8.0, < 8.1	8.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from misconfigured security authorization rules in the XML configuration file (mh_default_org.xml), not from specific code functions. The security configuration erroneously granted ROLE_COURSE_ADMIN access to administrative endpoints like /user-utils/** via intercept-url patterns. The fix involved removing ROLE_COURSE_ADMIN from these patterns. While the user-utils endpoint's handler (e.g., a PUT request handler) is the exploited entry point, the root cause is the security configuration, not a flaw in the handler's code logic. No specific code functions are identified as vulnerable with high confidence from the provided data.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t Us*rs wit* t** rol* `ROL*_*OURS*_**MIN` **n us* t** us*r-utils *n*point to *r**t* n*w us*rs not in*lu*in* t** rol* `ROL*_**MIN`. *or *x*mpl*: ```**s* # Us* t** **min to *r**t* * n*w us*r wit* ROL*_*OURS*_**MIN usin* t** **min us*r. # W*

Reasoning

T** vuln*r**ility st*ms *rom mis*on*i*ur** s**urity *ut*oriz*tion rul*s in t** XML *on*i*ur*tion *il* (m*_****ult_or*.xml), not *rom sp**i*i* *o** *un*tions. T** s**urity *on*i*ur*tion *rron*ously *r*nt** ROL*_*OURS*_**MIN ****ss to **ministr*tiv* *n

4.8

Basic Information

Concerned about an active attack path?

CVE-2020-5231: Users with ROLE_COURSE_ADMIN can create new users in Opencast

Impact

Patches

Workarounds

For more information

4.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI