CVE-2020-5228

Name of the Vulnerable Software and Affected Versions Opencast versions prior to 7.6 Opencast versions prior to 8.1

Description The issue allows unauthorized public access to all media and metadata by default via OAI-PMH, which is part of the default workflow and is activated by default. This leads to users unknowingly handing out public access to events without their knowledge. The OAI-PMH endpoint is configured to require users with ROLE ADMIN by default in Opencast 7.6 and 8.1. Additionally, Opencast 9 removes the OAI-PMH publication from the default workflow, making the publication a conscious decision users have to make by updating their workflows.

Recommendations For Opencast versions prior to 7.6, update to version 7.6 or later to address the issue. For Opencast versions prior to 8.1, update to version 8.1 or later to address the issue. As a temporary workaround, consider changing the roles required for accessing /oaipmh from ROLE ANONYMOUS to ROLE ADMIN in the organization security configuration (etc/security/mh default org.xml).