Description

An issue was discovered in Apereo Opencast 4.x through 10.x before 10.6. It sends system digest credentials during authentication attempts to arbitrary external services in some situations.

Remediation

References

https://www.apereo.org/projects/opencast/news

https://github.com/advisories/GHSA-hcxx-mp6g-6gr9

https://github.com/opencast/opencast/commit/776d5588f39c61eb04c03bb955416c4f77629d51

https://docs.opencast.org/r/10.x/admin/#changelog

Related Vulnerabilities

CVE-2017-15719 Vulnerability in maven package com.googlecode.wicket-jquery-ui:wicket-kendo-ui

CVE-2018-11041 Vulnerability in maven package org.cloudfoundry.identity:cloudfoundry-identity-uaa

CVE-2019-10775 Vulnerability in npm package ecstatic

CVE-2021-25943 Vulnerability in npm package 101

CVE-2019-10806 Vulnerability in npm package vega-util

Severity

High

Classification

CWE-522 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Tags

Release Notes Third Party Advisory Patch