CVE-2020-5231

In Opencast before 7.6 and 8.1, users with the role ROLE_COURSE_ADMIN can use the user-utils endpoint to create new users not including the role ROLE_ADMIN. ROLE_COURSE_ADMIN is a non-standard role in Opencast which is referenced neither in the documentation nor in any code (except for tests) but only in the security configuration. From the name – implying an admin for a specific course – users would never expect that this role allows user creation. This issue is fixed in 7.6 and 8.1 which both ship a new default security configuration.

In Opencast before 7.6 and 8.1, users with the role ROLE_COURSE_ADMIN can use the user-utils endpoint to create new users not including the role ROLE_ADMIN. ROLE_COURSE_ADMIN is a non-standard role in Opencast which is referenced neither in the documentation nor in any code (except for tests) but only in the security configuration. From the name – implying an admin for a specific course – users would never expect that this role allows user creation. This issue is fixed in 7.6 and 8.1 which both ship a new default security configuration.

### Impact Users with the role `ROLE_COURSE_ADMIN` can use the user-utils endpoint to create new users not including the role `ROLE_ADMIN`. For example: ```bash # Use the admin to create a new user with ROLE_COURSE_ADMIN using the admin user. # We expect this to work. % curl -i -u admin:opencast 'https://example.opencast.org/user-utils/xy.json' -X PUT \ --data 'password=f&roles=%5B%22ROLE_COURSE_ADMIN%22%5D' HTTP/2 201 # Use the new user to create more new users. # We don't expüect a user with just role ROLE_COURSE_ADMIN to succeed. # But it does work % curl -i -u xy:f 'https://example.opencast.org/user-utils/ab.json' -X PUT \ --data 'password=f&roles=%5B%22ROLE_COURSE_ADMIN%22%5D' HTTP/2 201 ``` `ROLE_COURSE_ADMIN` is a non-standard role in Opencast which is referenced neither in the documentation nor in any code (except for tests) but only in the security configuration. From the name – implying an admin for a specific course – users would never expect that this role allows user creation. ### Patches This issue is fixed in 7.6 and 8.1 which both ship a new default security configuration. ### Workarounds You can fix this issue by removing all instances of `ROLE_COURSE_ADMIN` in your organization's security configuration (`etc/security/mh_default_org.xml` by default). ### For more information If you have any questions or comments about this advisory: - Open an issue in [opencast/opencast](https://github.com/opencast/opencast/issues) - For security-relevant information, email us at security@opencast.org

### Impact Users with the role `ROLE_COURSE_ADMIN` can use the user-utils endpoint to create new users not including the role `ROLE_ADMIN`. For example: ```bash # Use the admin to create a new user with ROLE_COURSE_ADMIN using the admin user. # We expect this to work. % curl -i -u admin:opencast 'https://example.opencast.org/user-utils/xy.json' -X PUT \ --data 'password=f&roles=%5B%22ROLE_COURSE_ADMIN%22%5D' HTTP/2 201 # Use the new user to create more new users. # We don't expüect a user with just role ROLE_COURSE_ADMIN to succeed. # But it does work % curl -i -u xy:f 'https://example.opencast.org/user-utils/ab.json' -X PUT \ --data 'password=f&roles=%5B%22ROLE_COURSE_ADMIN%22%5D' HTTP/2 201 ``` `ROLE_COURSE_ADMIN` is a non-standard role in Opencast which is referenced neither in the documentation nor in any code (except for tests) but only in the security configuration. From the name – implying an admin for a specific course – users would never expect that this role allows user creation. ### Patches This issue is fixed in 7.6 and 8.1 which both ship a new default security configuration. ### Workarounds You can fix this issue by removing all instances of `ROLE_COURSE_ADMIN` in your organization's security configuration (`etc/security/mh_default_org.xml` by default). ### For more information If you have any questions or comments about this advisory: - Open an issue in [opencast/opencast](https://github.com/opencast/opencast/issues) - For security-relevant information, email us at security@opencast.org

En Opencast anterior a las versiones 7.6 y 8.1, los usuarios con el rol ROLE_COURSE_ADMIN pueden usar el punto final user-utils para crear nuevos usuarios sin incluir el rol ROLE_ADMIN. ROLE_COURSE_ADMIN es un rol no estándar en Opencast al que no se hace referencia ni en la documentación ni en ningún código (excepto para las pruebas) sino solo en la configuración de seguridad. Por el nombre, lo que implica un administrador para un curso específico, los usuarios nunca esperarían que este rol permita la creación de usuarios. Este problema se solucionó en 7.6 y 8.1, que incluyen una nueva configuración de seguridad predeterminada.