5.4

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-29237

GHSA ID

GHSA-qm6v-cg9v-53j3

EPSS Score

0.34765%

CWE

CWE-287

Published

5/25/2022

Updated

1/27/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-29237

CVE-2022-29237: Limited Authentication Bypass for Media Files

Prior to Opencast 10.14 and 11.7, users could pass along URLs for files belonging to organizations other than the user's own, which Opencast would then import into the current organization, bypassing organizational barriers.

Impact

The vulnerability allows attackers to bypass organizational barriers. Attackers must have full access to Opencast's ingest REST interface, and also know internal links to resources in another organization of the same Opencast cluster.

If you do not run a multi-tenant cluster, you are not affected by this issue.

Patches

This issue is fixed in Opencast 10.14 and 11.7.

References

Patch fixing the issue

For more information

If you have any questions or comments about this advisory:

Open an issue in our issue tracker
Email us at security@opencast.org

(GitHub Advisory)

5.4

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-29237

GHSA ID

GHSA-qm6v-cg9v-53j3

EPSS Score

0.34765%

CWE

CWE-287

Published

5/25/2022

Updated

1/27/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.opencastproject:opencast-ingest-service-impl	maven	< 10.14	10.14
org.opencastproject:opencast-ingest-service-impl	maven	>= 11.0, < 11.7	11.7

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from how cluster URLs were validated in addContentToRepo. The pre-patch code used organizationDirectoryService.getOrganization(uri.toURL()) to determine allowed servers, which checks the organization associated with the input URI rather than the current user's organization. This allowed attackers to reference resources from other organizations. The patch replaced this with securityService.getOrganization(), which properly validates against the current user's organizational context. The function's role in media ingestion and the direct modification in the security fix confirm its vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Prior to Op*n**st **.** *n* **.*, us*rs *oul* p*ss *lon* URLs *or *il*s **lon*in* to or**niz*tions ot**r t**n t** us*r's own, w*i** Op*n**st woul* t**n import into t** *urr*nt or**niz*tion, *yp*ssin* or**niz*tion*l **rri*rs. ### Imp**t T** vuln*r**

Reasoning

T** vuln*r**ility st*ms *rom *ow *lust*r URLs w*r* v*li**t** in `****ont*ntToR*po`. T** pr*-p*t** *o** us** `or**niz*tion*ir**toryS*rvi**.**tOr**niz*tion(uri.toURL())` to **t*rmin* *llow** s*rv*rs, w*i** ****ks t** or**niz*tion *sso*i*t** wit* t** in

5.4

Basic Information

Concerned about an active attack path?

CVE-2022-29237: Limited Authentication Bypass for Media Files

Impact

Patches

References

For more information

5.4

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI