CVE-2021-43807

Opencast is an Open Source Lecture Capture & Video Management for Education. Opencast versions prior to 9.10 allow HTTP method spoofing, allowing to change the assumed HTTP method via URL parameter. This allows attackers to turn HTTP GET requests into PUT requests or an HTTP form to send DELETE requests. This bypasses restrictions otherwise put on these types of requests and aids in cross-site request forgery (CSRF) attacks, which would otherwise not be possible. The vulnerability allows attackers to craft links or forms which may change the server state. This issue is fixed in Opencast 9.10 and 10.0. You can mitigate the problem by setting the `SameSite=Strict` attribute for your cookies. If this is a viable option for you depends on your integrations. We strongly recommend updating in any case.

Opencast is an Open Source Lecture Capture & Video Management for Education. Opencast versions prior to 9.10 allow HTTP method spoofing, allowing to change the assumed HTTP method via URL parameter. This allows attackers to turn HTTP GET requests into PUT requests or an HTTP form to send DELETE requests. This bypasses restrictions otherwise put on these types of requests and aids in cross-site request forgery (CSRF) attacks, which would otherwise not be possible. The vulnerability allows attackers to craft links or forms which may change the server state. This issue is fixed in Opencast 9.10 and 10.0. You can mitigate the problem by setting the `SameSite=Strict` attribute for your cookies. If this is a viable option for you depends on your integrations. We strongly recommend updating in any case.

Opencast versions prior to 9.10 allow HTTP method spoofing, allowing to change the assumed HTTP method via URL parameter. This allows attackers to turn HTTP GET requests into PUT requests or an HTTP form to send DELETE requests. This bypasses restrictions otherwise put on these types of requests and aids in cross-site request forgery (CSRF) attacks, which would otherwise not be possible. ### Impact The vulnerability allows attackers to craft links or forms which may change the server state. For example, the following GET request would create a new user: ```sh % curl -i -u admin:opencast \ 'https://legacy.opencast.org/admin-ng/users/test.json?_method=PUT&username=test&password=attack' HTTP/2 200 … ``` If an admin is logged in to legacy.opencast.org and accidentally clicks this link, a user will silently be created. ### Patches This issue is fixed in Opencast 9.10 and 10.0. ### Workarounds You can mitigate the problem by setting the `SameSite=Strict` attribute for your cookies. If this is a viable option for you depends on your integrations. We strongly recommend updating in any case. ### References - [Fix for 10.0](https://github.com/opencast/opencast/commit/59cb6731067283e54f15462be38b6117d8b9ea8b#diff-9c5fb3d1b7e3b0f54bc5c4182965c4fe1f9023d449017cece3005d3f90e8e4d8) - [Fix for 9.10](https://github.com/opencast/opencast/commit/8f8271e1085f6f8e306c689d6a56b0bb8d076444) ### For more information If you have any questions or comments about this advisory: * Open an issue in [our issue tracker](https://github.com/opencast/opencast/issues) * Email us at [security@opencast.org](mailto:security@opencast.org)

Opencast versions prior to 9.10 allow HTTP method spoofing, allowing to change the assumed HTTP method via URL parameter. This allows attackers to turn HTTP GET requests into PUT requests or an HTTP form to send DELETE requests. This bypasses restrictions otherwise put on these types of requests and aids in cross-site request forgery (CSRF) attacks, which would otherwise not be possible. ### Impact The vulnerability allows attackers to craft links or forms which may change the server state. For example, the following GET request would create a new user: ```sh % curl -i -u admin:opencast \ 'https://legacy.opencast.org/admin-ng/users/test.json?_method=PUT&username=test&password=attack' HTTP/2 200 … ``` If an admin is logged in to legacy.opencast.org and accidentally clicks this link, a user will silently be created. ### Patches This issue is fixed in Opencast 9.10 and 10.0. ### Workarounds You can mitigate the problem by setting the `SameSite=Strict` attribute for your cookies. If this is a viable option for you depends on your integrations. We strongly recommend updating in any case. ### References - [Fix for 10.0](https://github.com/opencast/opencast/commit/59cb6731067283e54f15462be38b6117d8b9ea8b#diff-9c5fb3d1b7e3b0f54bc5c4182965c4fe1f9023d449017cece3005d3f90e8e4d8) - [Fix for 9.10](https://github.com/opencast/opencast/commit/8f8271e1085f6f8e306c689d6a56b0bb8d076444) ### For more information If you have any questions or comments about this advisory: * Open an issue in [our issue tracker](https://github.com/opencast/opencast/issues) * Email us at [security@opencast.org](mailto:security@opencast.org)

Opencast es un software de código abierto para la captura de conferencias y administración de vídeo para la educación. Opencast versiones anteriores a la 9.10 permiten una suplantación del método HTTP, permitiendo cambiar el método HTTP asumido por medio del parámetro de la URL. Esto permite a atacantes convertir las peticiones HTTP GET en peticiones PUT o un formulario HTTP para enviar peticiones DELETE. Esto evita las restricciones impuestas a este tipo de peticiones y ayuda a realizar ataques de tipo cross-site request forgery (CSRF), que de otro modo no serían posibles. La vulnerabilidad permite a atacantes crear enlaces o formularios que pueden cambiar el estado del servidor. Este problema se ha corregido en Opencast versiones 9.10 y 10.0. Puede mitigar el problema al establecer el atributo "SameSite=Strict" para sus cookies. Si esta es una opción viable para usted depende de sus integraciones. Recomendamos encarecidamente la actualización en cualquier caso