Upgrade camaleon_cms to version 2.7.4 or higher.

org.opencastproject:opencast-kernel 7.4 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.opencastproject:opencast-kernel package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
M Improper Input Validation org.opencastproject:opencast-kernel is a free and open source solution for automated video capture and distribution at scale. Affected versions of this package are vulnerable to Improper Input Validation due to disabling HTTPS hostname verification of its HTTP client used for a large portion of Opencast's HTTP requests. How to fix Improper Input Validation? Upgrade `org.opencastproject:opencast-kernel` to version 7.9, 8.9 or higher.	[,7.9)[8.0,8.9)
H Improper Authorization org.opencastproject:opencast-kernel is a free and open source solution for automated video capture and distribution at scale. Affected versions of this package are vulnerable to Improper Authorization. Using a remember-me cookie with an arbitrary username can cause Opencast to assume proper authentication for that user even if the remember-me cookie was incorrect given that the attacked endpoint also allows anonymous access. This way, an attacker can, for example, fake a remember-me token, assume the identity of the global system administrator and request non-public content from the search service without ever providing any proper authentication. How to fix Improper Authorization? Upgrade `org.opencastproject:opencast-kernel` to version 8.1, 7.6 or higher.	[8.0,8.1)[,7.6)
M Improper Authorization org.opencastproject:opencast-kernel is a free and open source solution for automated video capture and distribution at scale. Affected versions of this package are vulnerable to Improper Authorization. Enables a remember-me cookie based on a hash created from the username, password, and an additional system key. This means that an attacker getting access to a remember-me token for one server can get access to all servers which allow log-in using the same credentials without ever needing the credentials. Such an attack will usually not work on different installations – assuming that safe, unique passwords are used – but it is basically guaranteed to work to get access to all machines of one cluster if a token from one machine is compromised. How to fix Improper Authorization? Upgrade `org.opencastproject:opencast-kernel` to version 8.1, 7.6 or higher.	[8.0,8.1)[,7.6)
M Privilege Escalation org.opencastproject:opencast-kernel is a free and open source solution for automated video capture and distribution at scale. Affected versions of this package are vulnerable to Privilege Escalation. Users with the role `ROLE_COURSE_ADMIN` can use the user-utils endpoint to create new users not including the role `ROLE_ADMIN`. `ROLE_COURSE_ADMIN` is a non-standard role in Opencast which is referenced neither in the documentation nor in any code (except for tests) but only in the security configuration. From the name – implying an admin for a specific course – users would never expect that this role allows user creation. How to fix Privilege Escalation? Upgrade `org.opencastproject:opencast-kernel` to version 7.6, 8.1 or higher.	[,7.6)[8.0,8.1)

Vulnerability

Vulnerable Version

Improper Input Validation

org.opencastproject:opencast-kernel is a free and open source solution for automated video capture and distribution at scale.

Affected versions of this package are vulnerable to Improper Input Validation due to disabling HTTPS hostname verification of its HTTP client used for a large portion of Opencast's HTTP requests.

How to fix Improper Input Validation?

Upgrade org.opencastproject:opencast-kernel to version 7.9, 8.9 or higher.

[,7.9)[8.0,8.9)

Improper Authorization

org.opencastproject:opencast-kernel is a free and open source solution for automated video capture and distribution at scale.

Affected versions of this package are vulnerable to Improper Authorization. Using a remember-me cookie with an arbitrary username can cause Opencast to assume proper authentication for that user even if the remember-me cookie was incorrect given that the attacked endpoint also allows anonymous access. This way, an attacker can, for example, fake a remember-me token, assume the identity of the global system administrator and request non-public content from the search service without ever providing any proper authentication.

How to fix Improper Authorization?

Upgrade org.opencastproject:opencast-kernel to version 8.1, 7.6 or higher.

[8.0,8.1)[,7.6)

Improper Authorization

org.opencastproject:opencast-kernel is a free and open source solution for automated video capture and distribution at scale.

Affected versions of this package are vulnerable to Improper Authorization. Enables a remember-me cookie based on a hash created from the username, password, and an additional system key. This means that an attacker getting access to a remember-me token for one server can get access to all servers which allow log-in using the same credentials without ever needing the credentials.

Such an attack will usually not work on different installations – assuming that safe, unique passwords are used – but it is basically guaranteed to work to get access to all machines of one cluster if a token from one machine is compromised.

How to fix Improper Authorization?

Upgrade org.opencastproject:opencast-kernel to version 8.1, 7.6 or higher.

[8.0,8.1)[,7.6)

Privilege Escalation

org.opencastproject:opencast-kernel is a free and open source solution for automated video capture and distribution at scale.

Affected versions of this package are vulnerable to Privilege Escalation. Users with the role ROLE_COURSE_ADMIN can use the user-utils endpoint to create new users not including the role ROLE_ADMIN. ROLE_COURSE_ADMIN is a non-standard role in Opencast which is referenced neither in the documentation nor in any code (except for tests) but only in the security configuration. From the name – implying an admin for a specific course – users would never expect that this role allows user creation.

How to fix Privilege Escalation?

Upgrade org.opencastproject:opencast-kernel to version 7.6, 8.1 or higher.

[,7.6)[8.0,8.1)

org.opencastproject:opencast-kernel@7.4 vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package manager

Direct Vulnerabilities

How to fix?