CVE-2017-1000221 Information

Description

In Opencast 2.2.3 and older if user names overlap the Opencast search service used for publication to the media modules and players will handle the access control incorrectly so that users only need to match part of the user name used for the access restriction. For example a user with the role ROLE_USER will have access to recordings published only for ROLE_USER_X.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Reference

https://opencast.jira.com/browse/MH-11862

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

NONE

Base Score

NONE

Base Severity

6.5