Homepage
About Snyk

Information Exposure Affecting org.opencastproject:opencast-ingest-service-impl package, versions [,10.6)

Severity

 Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    EPSS
    0.06% (26th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JAVA-ORGOPENCASTPROJECT-2320178
  • published 15 Dec 2021
  • disclosed 14 Dec 2021
  • credit Stephen Marquard, Lars Kiesow, Greg Logan
Report a new vulnerability Found a mistake?

Introduced: 14 Dec 2021

CVE-2018-16153 Open this link in a new tab
CWE-200 Open this link in a new tab
CWE-522 Open this link in a new tab

How to fix?

Upgrade org.opencastproject:opencast-ingest-service-impl to version 10.6 or higher.

Overview

org.opencastproject:opencast-ingest-service-impl is a free and open source solution for automated video capture and distribution at scale.

Affected versions of this package are vulnerable to Information Exposure. It will try to authenticate against any external services listed in a media package when it is trying to access the files, sending the global system user's credentials, regardless of whether the target is part of the Opencast cluster or not.

CVSS Scores

version 3.1
Expand this section

Snyk

7.5 high
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    None
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    High
  • Integrity (I)
    None
  • Availability (A)
    None
Expand this section

NVD

7.5 high