CVE-2020-5231

Name of the Vulnerable Software and Affected Versions Opencast versions prior to 7.6 Opencast versions prior to 8.1

Description The issue allows users with the role ROLE COURSE ADMIN to create new users not including the role ROLE ADMIN using the "user-utils" endpoint. ROLE COURSE ADMIN is a non-standard role in Opencast, referenced only in the security configuration, and its name implies it should be for a specific course admin, not allowing user creation. This issue is fixed in versions 7.6 and 8.1, which ship a new default security configuration.

Recommendations For Opencast versions prior to 7.6, update to version 7.6 or later. For Opencast versions prior to 8.1, update to version 8.1 or later. As a temporary workaround, consider removing all instances of ROLE COURSE ADMIN in your organization's security configuration (etc/security/mh default org.xml by default).