GMS-2021-145: Opencast publishes global system account credentials
The issue was mostly mitigated before, drastically reducing the risk. See references below for more information.
Impact
Opencast before version 10.6 will try to authenticate against any external services listed in a media package when it is trying to access the files, sending the global system user’s credentials, regardless of the target being part of the Opencast cluster or not.
Previous mitigations already prevented clear text authentications for such requests (e.g. HTTP Basic authentication), but with enough malicious intent, even hashed credentials can be broken.
Patches
Opencast 10.6 will now send authentication requests only against servers which are part of the Opencast cluster, preventing external services from getting any form of authentication attempt in the first place.
Workarounds
No workaround available.
References
For more information
If you have any questions or comments about this advisory:
- Open an issue in our issue tracker
- Email us at security@opencast.org
References
Code Behaviors & Features
Detect and mitigate GMS-2021-145 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →