Description
In Opencast 2.2.3 and older if user names overlap, the Opencast search service used for publication to the media modules and players will handle the access control incorrectly so that users only need to match part of the user name used for the access restriction. For example, a user with the role ROLE_USER will have access to recordings published only for ROLE_USER_X.
References (1)
Core 1
Core References
Exploit, Issue Tracking, Vendor Advisory x_refsource_confirm
https://opencast.jira.com/browse/MH-11862
Scores
CVSS v3
6.5
EPSS
0.0022
EPSS Percentile
43.8%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-732
Status
published
Products (2)
apereo/opencast
< 2.2.3
org.opencastproject/opencast-kernel
0 - 2.2.4Maven
Published
Nov 17, 2017
Tracked Since
Feb 18, 2026