CVE-2020-5229

Name of the Vulnerable Software and Affected Versions Opencast versions prior to 8.1

Description The issue concerns the use of the outdated and cryptographically insecure MD5 hash algorithm for storing passwords. The hashes are salted using the username instead of a random salt, which can cause collisions for users with the same username and password. This could allow an attacker to reconstruct a user's password if they gain access to the database where the hashes are stored. The problem is addressed in Opencast 8.1, which now uses the stronger bcrypt password hashing algorithm. Note that old hashes remain MD5 until the password is updated. The /user-utils/users/md5.json API endpoint can be used to identify users whose password hashes are stored using MD5.

Recommendations For Opencast versions prior to 8.1, update to version 8.1 to address the issue. As a temporary workaround, consider restricting access to the database where password hashes are stored to minimize the risk of exploitation. Additionally, users can update their passwords to switch from MD5 to the stronger bcrypt hashing algorithm.