org.opencastproject:opencast-ingest-service-impl@8.0 vulnerabilities

latest version

15.4
latest non vulnerable version

15.4
first published

5 years ago
latest version published

a month ago
licenses detected
- ECL-2.0
  [0,)
package manager

View on Maven Repository

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the org.opencastproject:opencast-ingest-service-impl package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
M Access Control Bypass org.opencastproject:opencast-ingest-service-impl is a free and open source solution for automated video capture and distribution at scale. Affected versions of this package are vulnerable to Access Control Bypass where users could pass along URLs for files belonging to organizations other than the user's own, which Opencast would then import into the current organization, bypassing organizational barriers. Note: To be able to exploit this vulnerability, attackers must have full access to Opencast's ingest REST interface of an application, and also know internal links to resources in another organization of the same Opencast cluster. Furthermore, users who do not run a multi-tenant cluster are not affected by this issue. How to fix Access Control Bypass? Upgrade `org.opencastproject:opencast-ingest-service-impl` to version 11.7 or higher.	[,11.7)
H Information Exposure org.opencastproject:opencast-ingest-service-impl is a free and open source solution for automated video capture and distribution at scale. Affected versions of this package are vulnerable to Information Exposure. It will try to authenticate against any external services listed in a media package when it is trying to access the files, sending the global system user's credentials, regardless of whether the target is part of the Opencast cluster or not. How to fix Information Exposure? Upgrade `org.opencastproject:opencast-ingest-service-impl` to version 10.6 or higher.	[,10.6)
M Information Exposure org.opencastproject:opencast-ingest-service-impl is a free and open source solution for automated video capture and distribution at scale. Affected versions of this package are vulnerable to Information Exposure by allowing references to local file URLs in ingested media packages, which makes it possible for attackers to include local files from Opencast's host machines and making them available via the web interface. ###POC: To expose the `custom.properties` of `develop.opencast.org` via the asset manager, an attacker could have run: `curl -f -i -u admin:opencast \ https://develop.opencast.org/ingest/addMediaPackage/fast \ -F 'flavor=presenter/source'\ -F mediaUri=file:///srv/opencast/opencast-dist-allinone/etc/custom.properties\ -F title="custom.properties"` How to fix Information Exposure? Upgrade `org.opencastproject:opencast-ingest-service-impl` to version 10.6 or higher.	[,10.6)
H XML External Entity (XXE) Injection org.opencastproject:opencast-ingest-service-impl is a free and open source solution for automated video capture and distribution at scale. Affected versions of this package are vulnerable to XML External Entity (XXE) Injection. An attacker could easily execute a (seemingly permanent) denial of service attack via a billion laughs attack (XML bomb). To exploit this, users need to have ingest privileges, limiting the group of potential attackers. How to fix XML External Entity (XXE) Injection? Upgrade `org.opencastproject:opencast-ingest-service-impl` to version 9.6 or higher.	[,9.6)

Go back to all versions of this package

org.opencastproject:opencast-ingest-service-impl@8.0 vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package manager

Direct Vulnerabilities