CVE-2021-32623

Name of the Vulnerable Software and Affected Versions Opencast versions prior to 9.6

Description Opencast is vulnerable to the billion laughs attack, which allows an attacker to easily execute a denial of service attack, essentially taking down Opencast using a single HTTP request. To exploit this, users need to have ingest privileges, limiting the group of potential attackers. The attack can be executed by sending a crafted XML file, such as createMediaPackage.xml, to an endpoint accepting XML, like /ingestdownload/ingestdownload. This causes Opencast to parse the XML and expand the content, consuming a huge amount of memory.

Recommendations To resolve the issue, update to Opencast version 9.6 or later. As a temporary workaround, consider restricting access to the ingest functionality to minimize the risk of exploitation. Avoid using endpoints that accept XML, such as /ingestdownload/ingestdownload, until the issue is resolved. There is no known workaround for this issue.