CVE-2020-26234

Published: Dec 8, 2020

Modified: Aug 4, 2024

PUBLISHED

CVSS v3.1

4.8

MEDIUM

Description

Opencast before versions 8.9 and 7.9 disables HTTPS hostname verification of its HTTP client used for a large portion of Opencast's HTTP requests. Hostname verification is an important part when using HTTPS to ensure that the presented certificate is valid for the host. Disabling it can allow for man-in-the-middle attacks. This problem is fixed in Opencast 7.9 and Opencast 8.8 Please be aware that fixing the problem means that Opencast will not simply accept any self-signed certificates any longer without properly importing them. If you need those, please make sure to import them into the Java key store. Better yet, get a valid certificate.

Vendor	Product	Versions
opencast	opencast	affected `< 7.9` affected `>= 8.0, < 8.9`

Weaknesses (CWE)

CWE-346

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

References

https://github.com/opencast/opencast/security/advisories/GHSA-44cw-p2hm-gpf6

x_refsource_CONFIRM

https://github.com/opencast/opencast/commit/4225bf90af74557deaf8fb6b80b0705c9621acfc

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2020-26234

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References