CVE-2020-5206

Name of the Vulnerable Software and Affected Versions Opencast versions prior to 7.6 Opencast versions prior to 8.1

Description Using a remember-me cookie with an arbitrary username can cause Opencast to assume proper authentication for that user even if the remember-me cookie was incorrect given that the attacked endpoint also allows anonymous access. This way, an attacker can, for example, fake a remember-me token, assume the identity of the global system administrator and request non-public content from the search service without ever providing any proper authentication.

Recommendations For Opencast versions prior to 7.6, update to Opencast 7.6 to fix the issue. For Opencast versions prior to 8.1, update to Opencast 8.1 to fix the issue. As a temporary workaround for older, unpatched versions, consider disabling remember-me cookies in etc/security/mh default org.xml by removing the line <sec:remember-me … /> to mitigate the problem.