Access Control Bypass Affecting org.opencastproject:opencast-ingest-service-impl Open this link in a new tab package, versions [,11.7)


0.0
medium
  • Attack Complexity

    High

  • Privileges Required

    High

  • Integrity

    High

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id

    SNYK-JAVA-ORGOPENCASTPROJECT-2847864

  • published

    25 May 2022

  • disclosed

    25 May 2022

  • credit

    Lars Kiesow

How to fix?

Upgrade org.opencastproject:opencast-ingest-service-impl to version 11.7 or higher.

Overview

org.opencastproject:opencast-ingest-service-impl is a free and open source solution for automated video capture and distribution at scale.

Affected versions of this package are vulnerable to Access Control Bypass where users could pass along URLs for files belonging to organizations other than the user's own, which Opencast would then import into the current organization, bypassing organizational barriers.

Note: To be able to exploit this vulnerability, attackers must have full access to Opencast's ingest REST interface of an application, and also know internal links to resources in another organization of the same Opencast cluster. Furthermore, users who do not run a multi-tenant cluster are not affected by this issue.

References