Vulnerability-Lookup

CVE-2020-5229 (GCVE-0-2020-5229)

Vulnerability from cvelistv5 – Published: 2020-01-30 20:05 – Updated: 2024-08-04 08:22

Title

Opencast stores passwords using outdated MD5 hash algorithm

Summary

Opencast before 8.1 stores passwords using the rather outdated and cryptographically insecure MD5 hash algorithm. Furthermore, the hashes are salted using the username instead of a random salt, causing hashes for users with the same username and password to collide which is problematic especially for popular users like the default `admin` user. This essentially means that for an attacker, it might be feasible to reconstruct a user's password given access to these hashes. Note that attackers needing access to the hashes means that they must gain access to the database in which these are stored first to be able to start cracking the passwords. The problem is addressed in Opencast 8.1 which now uses the modern and much stronger bcrypt password hashing algorithm for storing passwords. Note, that old hashes remain MD5 until the password is updated. For a list of users whose password hashes are stored using MD5, take a look at the `/user-utils/users/md5.json` REST endpoint.

Severity ?

7.7 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N

CWE

CWE-327 - Use of a Broken or Risky Cryptographic Algorithm

Assigner

GitHub_M

References

URL

	Vendor	Product	Version
	opencast	opencast	Affected: < 8.1

GHSA-H362-M8F2-5X7C

Vulnerability from github – Published: 2020-01-30 21:21 – Updated: 2021-01-08 20:31

Summary

Password Hashing: Do not use MD5

Details

Impact

User passwords are stored in the database using the rather outdated and cryptographically insecure MD5 hash algorithm. Furthermore, the hashes are salted using the username instead of a random salt, causing hashes for users with the same username and password to collide which is problematic especially for popular users like the default admin user.

This essentially means that for an attacker, it might be feasible to reconstruct a user's password given access to these hashes.

Note that attackers needing access to the hashes means that they must gain access to the database in which these are stored first to be able to start cracking the passwords.

Patches

The problem is addressed in Opencast 8.1 which now uses the modern and much stronger bcrypt password hashing algorithm for storing passwords. Note, that old hashes remain MD5 until the password is updated.

For a list of users whose password hashes are stored using MD5, take a look at the /user-utils/users/md5.json REST endpoint.

Workarounds

There is no workaround.

References

For more information

If you have any questions or comments about this advisory:

Open an issue in opencast/opencast
For security-relevant information, email us at security@opencast.org

Severity ?

7.7 (High)


                  
                    CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.opencastproject:opencast-common-jpa-impl"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "7.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.opencastproject:opencast-common-jpa-impl"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.0"
            },
            {
              "fixed": "8.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-5229"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-327"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-01-30T19:59:06Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "### Impact\n\nUser passwords are stored in the database using the rather outdated and cryptographically insecure MD5 hash algorithm. Furthermore, the hashes are salted using the username instead of a random salt, causing hashes for users with the same username and password to collide which is problematic especially for popular users like the default `admin` user.\n\nThis essentially means that for an attacker, it might be feasible to reconstruct a user\u0027s password given access to these hashes.\n\nNote that attackers needing access to the hashes means that they must gain access to the database in which these are stored first to be able to start cracking the passwords.\n\n\n### Patches\n\nThe problem is addressed in Opencast 8.1 which now uses the modern and much stronger bcrypt password hashing algorithm for storing passwords. Note, that old hashes remain MD5 until the password is updated.\n\nFor a list of users whose password hashes are stored using MD5, take a look at the `/user-utils/users/md5.json` REST endpoint.\n\n\n### Workarounds\n\nThere is no workaround.\n\n### References\n\n- [MD5 (Wikipedia)](https://en.wikipedia.org/wiki/MD5)\n- [bcrypt (Wikipedia)](https://en.wikipedia.org/wiki/Bcrypt)\n- [How weak is MD5 as a password hashing function?](https://security.stackexchange.com/q/52461)\n\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n- Open an issue in [opencast/opencast](https://github.com/opencast/opencast/issues)\n- For security-relevant information, email us at security@opencast.org",
  "id": "GHSA-h362-m8f2-5x7c",
  "modified": "2021-01-08T20:31:50Z",
  "published": "2020-01-30T21:21:58Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/opencast/opencast/security/advisories/GHSA-h362-m8f2-5x7c"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-5229"
    },
    {
      "type": "WEB",
      "url": "https://github.com/opencast/opencast/commit/32bfbe5f78e214e2d589f92050228b91d704758e"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Password Hashing: Do not use MD5"
}

GSD-2020-5229

Vulnerability from gsd - Updated: 2023-12-13 01:22

Details

Aliases

CVE-2020-5229

Aliases

CVE-2020-5229

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2020-5229",
    "description": "Opencast before 8.1 stores passwords using the rather outdated and cryptographically insecure MD5 hash algorithm. Furthermore, the hashes are salted using the username instead of a random salt, causing hashes for users with the same username and password to collide which is problematic especially for popular users like the default `admin` user. This essentially means that for an attacker, it might be feasible to reconstruct a user\u0027s password given access to these hashes. Note that attackers needing access to the hashes means that they must gain access to the database in which these are stored first to be able to start cracking the passwords. The problem is addressed in Opencast 8.1 which now uses the modern and much stronger bcrypt password hashing algorithm for storing passwords. Note, that old hashes remain MD5 until the password is updated. For a list of users whose password hashes are stored using MD5, take a look at the `/user-utils/users/md5.json` REST endpoint.",
    "id": "GSD-2020-5229"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2020-5229"
      ],
      "details": "Opencast before 8.1 stores passwords using the rather outdated and cryptographically insecure MD5 hash algorithm. Furthermore, the hashes are salted using the username instead of a random salt, causing hashes for users with the same username and password to collide which is problematic especially for popular users like the default `admin` user. This essentially means that for an attacker, it might be feasible to reconstruct a user\u0027s password given access to these hashes. Note that attackers needing access to the hashes means that they must gain access to the database in which these are stored first to be able to start cracking the passwords. The problem is addressed in Opencast 8.1 which now uses the modern and much stronger bcrypt password hashing algorithm for storing passwords. Note, that old hashes remain MD5 until the password is updated. For a list of users whose password hashes are stored using MD5, take a look at the `/user-utils/users/md5.json` REST endpoint.",
      "id": "GSD-2020-5229",
      "modified": "2023-12-13T01:22:03.235245Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2020-5229",
        "STATE": "PUBLIC",
        "TITLE": "Opencast stores passwords using outdated MD5 hash algorithm"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "opencast",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "\u003c 8.1"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "opencast"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Opencast before 8.1 stores passwords using the rather outdated and cryptographically insecure MD5 hash algorithm. Furthermore, the hashes are salted using the username instead of a random salt, causing hashes for users with the same username and password to collide which is problematic especially for popular users like the default `admin` user. This essentially means that for an attacker, it might be feasible to reconstruct a user\u0027s password given access to these hashes. Note that attackers needing access to the hashes means that they must gain access to the database in which these are stored first to be able to start cracking the passwords. The problem is addressed in Opencast 8.1 which now uses the modern and much stronger bcrypt password hashing algorithm for storing passwords. Note, that old hashes remain MD5 until the password is updated. For a list of users whose password hashes are stored using MD5, take a look at the `/user-utils/users/md5.json` REST endpoint."
          }
        ]
      },
      "impact": {
        "cvss": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.7,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/opencast/opencast/security/advisories/GHSA-h362-m8f2-5x7c",
            "refsource": "CONFIRM",
            "url": "https://github.com/opencast/opencast/security/advisories/GHSA-h362-m8f2-5x7c"
          },
          {
            "name": "https://github.com/opencast/opencast/commit/32bfbe5f78e214e2d589f92050228b91d704758e",
            "refsource": "MISC",
            "url": "https://github.com/opencast/opencast/commit/32bfbe5f78e214e2d589f92050228b91d704758e"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-h362-m8f2-5x7c",
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "(,7.6),[8.0,8.1)",
          "affected_versions": "All versions before 7.6, all versions starting from 8.0 before 8.1",
          "cvss_v2": "AV:N/AC:L/Au:S/C:P/I:P/A:N",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-327",
            "CWE-937"
          ],
          "date": "2021-01-08",
          "description": "Opencast before 8.1 stores passwords using the rather outdated and cryptographically insecure MD5 hash algorithm. Furthermore, the hashes are salted using the username instead of a random salt, causing hashes for users with the same username and password to collide which is problematic especially for popular users like the default `admin` user. This essentially means that for an attacker, it might be feasible to reconstruct a user\u0027s password given access to these hashes. Note that attackers needing access to the hashes means that they must gain access to the database in which these are stored first to be able to start cracking the passwords. The problem is addressed in Opencast 8.1 which now uses the modern and much stronger bcrypt password hashing algorithm for storing passwords. Note, that old hashes remain MD5 until the password is updated. For a list of users whose password hashes are stored using MD5, take a look at the `/user-utils/users/md5.json` REST endpoint.",
          "fixed_versions": [
            "7.6",
            "8.1"
          ],
          "identifier": "CVE-2020-5229",
          "identifiers": [
            "GHSA-h362-m8f2-5x7c",
            "CVE-2020-5229"
          ],
          "not_impacted": "All versions starting from 7.6 before 8.0, all versions starting from 8.1",
          "package_slug": "maven/org.opencastproject/opencast-common-jpa-impl",
          "pubdate": "2020-01-30",
          "solution": "Upgrade to versions 7.6, 8.1 or above.",
          "title": "Use of a Broken or Risky Cryptographic Algorithm",
          "urls": [
            "https://github.com/opencast/opencast/security/advisories/GHSA-h362-m8f2-5x7c",
            "https://github.com/opencast/opencast/commit/32bfbe5f78e214e2d589f92050228b91d704758e",
            "https://nvd.nist.gov/vuln/detail/CVE-2020-5229",
            "https://github.com/advisories/GHSA-h362-m8f2-5x7c"
          ],
          "uuid": "365bcae4-e4df-4f99-b35a-2cab2d6029a8"
        },
        {
          "affected_range": "(,8.1)",
          "affected_versions": "All versions before 7.6, version 8.0",
          "cvss_v2": "AV:N/AC:L/Au:S/C:P/I:P/A:N",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-327",
            "CWE-937"
          ],
          "date": "2020-02-05",
          "description": "Opencast stores passwords using the outdated and cryptographically insecure MD5 hash algorithm. Password hashes are salted using the username instead of a random salt, causing hashes for users with the same username and password to collide. This is problematic especially for common users like the default `admin` user. This means that for an attacker it might be feasible to reconstruct a user\u0027s password given access to these hashes. Note that attackers needing access to the hashes means that they must gain access to the database in which these are stored first to be able to start cracking the passwords. The problem is addressed in Opencast which now uses the modern and much stronger bcrypt password hashing algorithm for storing passwords. Note that old hashes remain MD5 until the password is updated. For a list of users whose password hashes are stored using MD5, take a look at the `/user-utils/users/md5.json` REST endpoint.",
          "fixed_versions": [
            "8.1"
          ],
          "identifier": "CVE-2020-5229",
          "identifiers": [
            "CVE-2020-5229",
            "GHSA-h362-m8f2-5x7c"
          ],
          "not_impacted": "All versions starting from 7.6 before 8.0, all versions after 8.0",
          "package_slug": "maven/org.opencastproject/opencast-kernel",
          "pubdate": "2020-01-30",
          "solution": "Upgrade to version 8.1 or above.",
          "title": "Use of a Broken or Risky Cryptographic Algorithm",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2020-5229"
          ],
          "uuid": "cc6379c6-94d2-4b0f-8cbf-522dcbe45445"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:apereo:opencast:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "8.1",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2020-5229"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Opencast before 8.1 stores passwords using the rather outdated and cryptographically insecure MD5 hash algorithm. Furthermore, the hashes are salted using the username instead of a random salt, causing hashes for users with the same username and password to collide which is problematic especially for popular users like the default `admin` user. This essentially means that for an attacker, it might be feasible to reconstruct a user\u0027s password given access to these hashes. Note that attackers needing access to the hashes means that they must gain access to the database in which these are stored first to be able to start cracking the passwords. The problem is addressed in Opencast 8.1 which now uses the modern and much stronger bcrypt password hashing algorithm for storing passwords. Note, that old hashes remain MD5 until the password is updated. For a list of users whose password hashes are stored using MD5, take a look at the `/user-utils/users/md5.json` REST endpoint."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-327"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/opencast/opencast/commit/32bfbe5f78e214e2d589f92050228b91d704758e",
              "refsource": "MISC",
              "tags": [
                "Patch"
              ],
              "url": "https://github.com/opencast/opencast/commit/32bfbe5f78e214e2d589f92050228b91d704758e"
            },
            {
              "name": "https://github.com/opencast/opencast/security/advisories/GHSA-h362-m8f2-5x7c",
              "refsource": "CONFIRM",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://github.com/opencast/opencast/security/advisories/GHSA-h362-m8f2-5x7c"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "availabilityImpact": "NONE",
            "baseScore": 5.5,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 8.0,
          "impactScore": 4.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 5.2
        }
      },
      "lastModifiedDate": "2020-02-05T20:52Z",
      "publishedDate": "2020-01-30T20:15Z"
    }
  }
}

FKIE_CVE-2020-5229

Vulnerability from fkie_nvd - Published: 2020-01-30 20:15 - Updated: 2024-11-21 05:33

Severity ?

7.7 (High) - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/opencast/opencast/commit/32bfbe5f78e214e2d589f92050228b91d704758e	Patch
security-advisories@github.com	https://github.com/opencast/opencast/security/advisories/GHSA-h362-m8f2-5x7c	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/opencast/opencast/commit/32bfbe5f78e214e2d589f92050228b91d704758e	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/opencast/opencast/security/advisories/GHSA-h362-m8f2-5x7c	Third Party Advisory

Impacted products

	Vendor	Product	Version
	apereo	opencast	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:apereo:opencast:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "11673AEB-4E7B-43BF-98BA-9031E47794ED",
              "versionEndExcluding": "8.1",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Opencast before 8.1 stores passwords using the rather outdated and cryptographically insecure MD5 hash algorithm. Furthermore, the hashes are salted using the username instead of a random salt, causing hashes for users with the same username and password to collide which is problematic especially for popular users like the default `admin` user. This essentially means that for an attacker, it might be feasible to reconstruct a user\u0027s password given access to these hashes. Note that attackers needing access to the hashes means that they must gain access to the database in which these are stored first to be able to start cracking the passwords. The problem is addressed in Opencast 8.1 which now uses the modern and much stronger bcrypt password hashing algorithm for storing passwords. Note, that old hashes remain MD5 until the password is updated. For a list of users whose password hashes are stored using MD5, take a look at the `/user-utils/users/md5.json` REST endpoint."
    },
    {
      "lang": "es",
      "value": "Opencast versiones anteriores a 8.1, almacena contrase\u00f1as usando el algoritmo hash MD5 bastante antiguo y criptogr\u00e1ficamente no seguro. Adem\u00e1s, los hash son salados utilizando el nombre de usuario en lugar de una sal aleatoria, causando que los hash para usuarios con el mismo nombre de usuario y contrase\u00f1a choquen, lo que es problem\u00e1tico, especialmente para usuarios populares tales como el usuario predeterminado \"admin\". Esto esencialmente significa que para un atacante, podr\u00eda ser factible reconstruir la contrase\u00f1a de un usuario dado el acceso a estos hashes. Considere que los atacantes al necesitar acceso a los hashes significa que deben obtener acceso a la base de datos en la que se almacenan primero, para que sean capaces de descifrar las contrase\u00f1as. El problema es abordado en Opencast versi\u00f3n 8.1, que ahora utiliza el algoritmo de hash de contrase\u00f1a bcrypt moderno y mucho m\u00e1s fuerte para almacenar contrase\u00f1as. Tome en cuenta que los hashes antiguos permanecen MD5 hasta que se actualiza la contrase\u00f1a. Para obtener una lista de los usuarios cuyos hash de contrase\u00f1a son almacenados con MD5, visualice al endpoint REST \"/user-utils/users/md5.json\"."
    }
  ],
  "id": "CVE-2020-5229",
  "lastModified": "2024-11-21T05:33:43.367",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "NONE",
          "baseScore": 5.5,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.0,
        "impactScore": 4.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.7,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.3,
        "impactScore": 5.8,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 8.1,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.2,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2020-01-30T20:15:10.420",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/opencast/opencast/commit/32bfbe5f78e214e2d589f92050228b91d704758e"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/opencast/opencast/security/advisories/GHSA-h362-m8f2-5x7c"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/opencast/opencast/commit/32bfbe5f78e214e2d589f92050228b91d704758e"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/opencast/opencast/security/advisories/GHSA-h362-m8f2-5x7c"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-327"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-327"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

CNVD-2020-12674

Vulnerability from cnvd - Published: 2020-02-18

Title

Opencast加密问题漏洞

Description

Opencast是一套免费的开源视频管理解决方案，它具有可扩展、可定制和低成本等特点。 Opencast 8.1之前版本和7.6之前版本中存在加密问题漏洞。该漏洞源于网络系统或产品未正确使用相关密码算法，导致内容未正确加密、弱加密、明文存储敏感信息等。目前没有详细的漏洞细节提供。

Severity

中

Patch Name

Opencast加密问题漏洞的补丁

Patch Description

Opencast是一套免费的开源视频管理解决方案，它具有可扩展、可定制和低成本等特点。 Opencast 8.1之前版本和7.6之前版本中存在加密问题漏洞。该漏洞源于网络系统或产品未正确使用相关密码算法，导致内容未正确加密、弱加密、明文存储敏感信息等。目前没有详细的漏洞细节提供。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://github.com/opencast/opencast/security/advisories/GHSA-h362-m8f2-5x7c

Reference

https://github.com/opencast/opencast/commit/32bfbe5f78e214e2d589f92050228b91d704758e

Impacted products

Name
['Opencast Opencast <8.1', 'Opencast Opencast <7.6']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2020-5229",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2020-5229"
    }
  },
  "description": "Opencast\u662f\u4e00\u5957\u514d\u8d39\u7684\u5f00\u6e90\u89c6\u9891\u7ba1\u7406\u89e3\u51b3\u65b9\u6848\uff0c\u5b83\u5177\u6709\u53ef\u6269\u5c55\u3001\u53ef\u5b9a\u5236\u548c\u4f4e\u6210\u672c\u7b49\u7279\u70b9\u3002\n\nOpencast 8.1\u4e4b\u524d\u7248\u672c\u548c7.6\u4e4b\u524d\u7248\u672c\u4e2d\u5b58\u5728\u52a0\u5bc6\u95ee\u9898\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7f51\u7edc\u7cfb\u7edf\u6216\u4ea7\u54c1\u672a\u6b63\u786e\u4f7f\u7528\u76f8\u5173\u5bc6\u7801\u7b97\u6cd5\uff0c\u5bfc\u81f4\u5185\u5bb9\u672a\u6b63\u786e\u52a0\u5bc6\u3001\u5f31\u52a0\u5bc6\u3001\u660e\u6587\u5b58\u50a8\u654f\u611f\u4fe1\u606f\u7b49\u3002\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u7684\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://github.com/opencast/opencast/security/advisories/GHSA-h362-m8f2-5x7c",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2020-12674",
  "openTime": "2020-02-18",
  "patchDescription": "Opencast\u662f\u4e00\u5957\u514d\u8d39\u7684\u5f00\u6e90\u89c6\u9891\u7ba1\u7406\u89e3\u51b3\u65b9\u6848\uff0c\u5b83\u5177\u6709\u53ef\u6269\u5c55\u3001\u53ef\u5b9a\u5236\u548c\u4f4e\u6210\u672c\u7b49\u7279\u70b9\u3002\r\n\r\nOpencast 8.1\u4e4b\u524d\u7248\u672c\u548c7.6\u4e4b\u524d\u7248\u672c\u4e2d\u5b58\u5728\u52a0\u5bc6\u95ee\u9898\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7f51\u7edc\u7cfb\u7edf\u6216\u4ea7\u54c1\u672a\u6b63\u786e\u4f7f\u7528\u76f8\u5173\u5bc6\u7801\u7b97\u6cd5\uff0c\u5bfc\u81f4\u5185\u5bb9\u672a\u6b63\u786e\u52a0\u5bc6\u3001\u5f31\u52a0\u5bc6\u3001\u660e\u6587\u5b58\u50a8\u654f\u611f\u4fe1\u606f\u7b49\u3002\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u7684\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Opencast\u52a0\u5bc6\u95ee\u9898\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Opencast Opencast \u003c8.1",
      "Opencast Opencast \u003c7.6"
    ]
  },
  "referenceLink": "https://github.com/opencast/opencast/commit/32bfbe5f78e214e2d589f92050228b91d704758e",
  "serverity": "\u4e2d",
  "submitTime": "2020-02-14",
  "title": "Opencast\u52a0\u5bc6\u95ee\u9898\u6f0f\u6d1e"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2020-5229 (GCVE-0-2020-5229)

GHSA-H362-M8F2-5X7C

Impact

Patches

Workarounds

References

For more information

GSD-2020-5229

FKIE_CVE-2020-5229

CNVD-2020-12674

Tags

Sightings

Nomenclature