5.4 - CVE-2022-29237

Executive Summary

Informations
Name	CVE-2022-29237	First vendor Publication	2022-05-24
Vendor	Cve	Last vendor Modification	2022-06-07

Security-Database Scoring CVSS v3

Cvss vector : CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Overall CVSS Score	5.4
Base Score	5.4	Environmental Score	5.4
impact SubScore	2.5	Temporal Score	5.4
Exploitabality Sub Score	2.8

Attack Vector	Network	Attack Complexity	Low
Privileges Required	Low	User Interaction	None
Scope	Unchanged	Confidentiality Impact	Low
Integrity Impact	Low	Availability Impact	None
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:S/C:P/I:P/A:N)
Cvss Base Score	5.5	Attack Range	Network
Cvss Impact Score	4.9	Attack Complexity	Low
Cvss Expoit Score	8	Authentication	Requires single instance
Calculate full CVSS 2.0 Vectors scores

Detail

Opencast is a free and open source solution for automated video capture and distribution at scale. Prior to Opencast 10.14 and 11.7, users could pass along URLs for files belonging to organizations other than the user's own, which Opencast would then import into the current organization, bypassing organizational barriers. Attackers must have full access to Opencast's ingest REST interface, and also know internal links to resources in another organization of the same Opencast cluster. Users who do not run a multi-tenant cluster are not affected by this issue. This issue is fixed in Opencast 10.14 and 11.7.

Original Source

Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29237

CWE : Common Weakness Enumeration

%	Id	Name
100 %	CWE-287	Improper Authentication

CPE : Common Platform Enumeration

Type	Description	Count
Application	Apereo Opencast cpe:2.3:a:apereo:opencast:8.0:::::::* cpe:2.3:a:apereo:opencast::::::::	2

Sources (Detail)

Source	Url
CONFIRM	https://github.com/opencast/opencast/security/advisories/GHSA-qm6v-cg9v-53j3
MISC	https://github.com/opencast/opencast/commit/8d5ec1614eed109b812bc27b0c6d3214e...