CVE-2020-5231
Summary
| CVE | CVE-2020-5231 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2020-01-30 22:15:00 UTC |
| Updated | 2020-02-10 21:55:00 UTC |
| Description | In Opencast before 7.6 and 8.1, users with the role ROLE_COURSE_ADMIN can use the user-utils endpoint to create new users not including the role ROLE_ADMIN. ROLE_COURSE_ADMIN is a non-standard role in Opencast which is referenced neither in the documentation nor in any code (except for tests) but only in the security configuration. From the name – implying an admin for a specific course – users would never expect that this role allows user creation. This issue is fixed in 7.6 and 8.1 which both ship a new default security configuration. |
Risk And Classification
Problem Types: CWE-276
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Users with ROLE_COURSE_ADMIN can create new users · Advisory · opencast/opencast · GitHub | CONFIRM | github.com | Exploit, Third Party Advisory |
| Remove ROLE_COURSE_ADMIN · opencast/opencast@72fad00 · GitHub | MISC | github.com | Patch |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 980397 Java (maven) Security Update for org.opencastproject:opencast-kernel (GHSA-94qw-r73x-j7hg)