Access Control Bypass Affecting org.opencastproject:opencast-ingest-service-impl package, versions [,11.7)
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Access Control Bypass vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-JAVA-ORGOPENCASTPROJECT-2847864
- published25 May 2022
- disclosed25 May 2022
- creditLars Kiesow
Introduced: 25 May 2022
CVE-2022-29237 (opens in a new tab)How to fix?
Upgrade org.opencastproject:opencast-ingest-service-impl to version 11.7 or higher.
Overview
org.opencastproject:opencast-ingest-service-impl is a free and open source solution for automated video capture and distribution at scale.
Affected versions of this package are vulnerable to Access Control Bypass where users could pass along URLs for files belonging to organizations other than the user's own, which Opencast would then import into the current organization, bypassing organizational barriers.
Note: To be able to exploit this vulnerability, attackers must have full access to Opencast's ingest REST interface of an application, and also know internal links to resources in another organization of the same Opencast cluster. Furthermore, users who do not run a multi-tenant cluster are not affected by this issue.