{"containers": {"cna": {"affected": [{"product": "opencast", "vendor": "opencast", "versions": [{"status": "affected", "version": "< 7.6"}, {"status": "affected", "version": ">= 8.0, < 8.1"}]}], "descriptions": [{"lang": "en", "value": "Opencast before 8.1 and 7.6 allows almost arbitrary identifiers for media packages and elements to be used. This can be problematic for operation and security since such identifiers are sometimes used for file system operations which may lead to an attacker being able to escape working directories and write files to other locations. In addition, Opencast's Id.toString(\u2026) vs Id.compact(\u2026) behavior, the latter trying to mitigate some of the file system problems, can cause errors due to identifier mismatch since an identifier may unintentionally change. This issue is fixed in Opencast 7.6 and 8.1."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-99", "description": "CWE-99: Improper Control of Resource Identifiers ('Resource Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-01-30T20:55:14.000Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/opencast/opencast/security/advisories/GHSA-w29m-fjp4-qhmq"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/opencast/opencast/commit/bbb473f34ab95497d6c432c81285efb0c739f317"}], "source": {"advisory": "GHSA-w29m-fjp4-qhmq", "discovery": "UNKNOWN"}, "title": "Opencast uses unsafe identifiers", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2020-5230", "STATE": "PUBLIC", "TITLE": "Opencast uses unsafe identifiers"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "opencast", "version": {"version_data": [{"version_value": "< 7.6"}, {"version_value": ">= 8.0, < 8.1"}]}}]}, "vendor_name": "opencast"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Opencast before 8.1 and 7.6 allows almost arbitrary identifiers for media packages and elements to be used. This can be problematic for operation and security since such identifiers are sometimes used for file system operations which may lead to an attacker being able to escape working directories and write files to other locations. In addition, Opencast's Id.toString(\u2026) vs Id.compact(\u2026) behavior, the latter trying to mitigate some of the file system problems, can cause errors due to identifier mismatch since an identifier may unintentionally change. This issue is fixed in Opencast 7.6 and 8.1."}]}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-99: Improper Control of Resource Identifiers ('Resource Injection')"}]}]}, "references": {"reference_data": [{"name": "https://github.com/opencast/opencast/security/advisories/GHSA-w29m-fjp4-qhmq", "refsource": "CONFIRM", "url": "https://github.com/opencast/opencast/security/advisories/GHSA-w29m-fjp4-qhmq"}, {"name": "https://github.com/opencast/opencast/commit/bbb473f34ab95497d6c432c81285efb0c739f317", "refsource": "MISC", "url": "https://github.com/opencast/opencast/commit/bbb473f34ab95497d6c432c81285efb0c739f317"}]}, "source": {"advisory": "GHSA-w29m-fjp4-qhmq", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T08:22:09.097Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/opencast/opencast/security/advisories/GHSA-w29m-fjp4-qhmq"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/opencast/opencast/commit/bbb473f34ab95497d6c432c81285efb0c739f317"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2020-5230", "datePublished": "2020-01-30T20:55:14.000Z", "dateReserved": "2020-01-02T00:00:00.000Z", "dateUpdated": "2024-08-04T08:22:09.097Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apereo:opencast:*:*:*:*:*:*:*:*", "matchCriteriaId": "7056094F-6E63-4BFB-B8A3-125746BA882C", "versionEndExcluding": "7.6", "vulnerable": true}, {"criteria": "cpe:2.3:a:apereo:opencast:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "4A82AABB-ACF6-4017-99E8-4DA90CE416D7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Opencast before 8.1 and 7.6 allows almost arbitrary identifiers for media packages and elements to be used. This can be problematic for operation and security since such identifiers are sometimes used for file system operations which may lead to an attacker being able to escape working directories and write files to other locations. In addition, Opencast's Id.toString(\u2026) vs Id.compact(\u2026) behavior, the latter trying to mitigate some of the file system problems, can cause errors due to identifier mismatch since an identifier may unintentionally change. This issue is fixed in Opencast 7.6 and 8.1."}, {"lang": "es", "value": "Opencast anterior a las versiones 8.1 y 7.6 permite utilizar identificadores casi arbitrarios para paquetes y elementos de medios. Esto puede ser problem\u00e1tico para la operaci\u00f3n y la seguridad, ya que tales identificadores a veces se usan para las operaciones del sistema de archivos, lo que puede llevar a un atacante a escapar de directorios de trabajo y escribir archivos en otras ubicaciones. Adem\u00e1s, el comportamiento Id.toString (...) vs Id.compact (...) de Opencast, este \u00faltimo tratando de mitigar algunos de los problemas del sistema de archivos, puede causar errores debido a la falta de coincidencia del identificador ya que un identificador puede cambiar involuntariamente. Este problema se soluciona en Opencast 7.6 y 8.1."}], "id": "CVE-2020-5230", "lastModified": "2024-11-21T05:33:43.470", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 5.8, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-01-30T21:15:15.167", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/opencast/opencast/commit/bbb473f34ab95497d6c432c81285efb0c739f317"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/opencast/opencast/security/advisories/GHSA-w29m-fjp4-qhmq"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/opencast/opencast/commit/bbb473f34ab95497d6c432c81285efb0c739f317"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/opencast/opencast/security/advisories/GHSA-w29m-fjp4-qhmq"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-99"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-74"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{}