Access Control Bypass Affecting org.opencastproject:opencast-ingest-service-impl package, versions [,11.7)
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JAVA-ORGOPENCASTPROJECT-2847864
- published 25 May 2022
- disclosed 25 May 2022
- credit Lars Kiesow
Introduced: 25 May 2022
CVE-2022-29237 Open this link in a new tabHow to fix?
Upgrade org.opencastproject:opencast-ingest-service-impl to version 11.7 or higher.
Overview
org.opencastproject:opencast-ingest-service-impl is a free and open source solution for automated video capture and distribution at scale.
Affected versions of this package are vulnerable to Access Control Bypass where users could pass along URLs for files belonging to organizations other than the user's own, which Opencast would then import into the current organization, bypassing organizational barriers.
Note: To be able to exploit this vulnerability, attackers must have full access to Opencast's ingest REST interface of an application, and also know internal links to resources in another organization of the same Opencast cluster. Furthermore, users who do not run a multi-tenant cluster are not affected by this issue.