Information Exposure Affecting org.opencastproject:opencast-ingest-service-impl package, versions [,10.6)


Severity

0.0
high
0
10

    Threat Intelligence

    EPSS
    0.06% (26th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JAVA-ORGOPENCASTPROJECT-2320178
  • published 15 Dec 2021
  • disclosed 14 Dec 2021
  • credit Stephen Marquard, Lars Kiesow, Greg Logan

How to fix?

Upgrade org.opencastproject:opencast-ingest-service-impl to version 10.6 or higher.

Overview

org.opencastproject:opencast-ingest-service-impl is a free and open source solution for automated video capture and distribution at scale.

Affected versions of this package are vulnerable to Information Exposure. It will try to authenticate against any external services listed in a media package when it is trying to access the files, sending the global system user's credentials, regardless of whether the target is part of the Opencast cluster or not.

CVSS Scores

version 3.1
Expand this section

Snyk

7.5 high
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    None
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    High
  • Integrity (I)
    None
  • Availability (A)
    None
Expand this section

NVD

7.5 high