QID 983113
QID 983113: Java (maven) Security Update for org.opencastproject:opencast-oaipmh-api (GHSA-6f54-3qr9-pjgj)
Security update has been released for org.opencastproject:opencast-oaipmh-api to fix the vulnerability.
Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
Media publication via OAI-PMH allows unauthenticated public access to all media and metadata by default. OAI-PMH is part of the default workflow and is activated by default, requiring active user intervention of users to protect media. This leads to users unknowingly handing out public access to events without their knowledge.
Solution
The problem has been addressed in Opencast 7.6 and 8.1 where the OAI-PMH endpoint is configured to require users with `ROLE_ADMIN` by default. In addition to this, Opencast 9 removes the OAI-PMH publication from the default workflow, making the publication a conscious decision users have to make by updating their workflows.Workaround:
In the organization security configuration (`etc/security/mh_default_org.xml`), change the roles required for accessing `/oaipmh` from `ROLE_ANONYMOUS` to `ROLE_ADMIN`.
In the organization security configuration (`etc/security/mh_default_org.xml`), change the roles required for accessing `/oaipmh` from `ROLE_ANONYMOUS` to `ROLE_ADMIN`.
Vendor References
- GHSA-6f54-3qr9-pjgj -
github.com/advisories/GHSA-6f54-3qr9-pjgj
CVEs related to QID 983113
Software Advisories
| Advisory ID | Software | Component | Link |
|---|---|---|---|
| GHSA-6f54-3qr9-pjgj | org.opencastproject:opencast-oaipmh-api |
github.com/advisories/GHSA-6f54-3qr9-pjgj |