Skip to content

Disabled Hostname Verification in Opencast

High severity GitHub Reviewed Published Dec 8, 2020 in opencast/opencast • Updated Jan 9, 2023

Package

maven org.opencastproject:opencast-kernel (Maven)

Affected versions

< 7.9
>= 8.0, < 8.9

Patched versions

7.9
8.9

Description

Opencast before version 8.9 and 7.9 disables HTTPS hostname verification of its HTTP client used for a large portion of Opencast's HTTP requests.

Hostname verification is an important part when using HTTPS to ensure that the presented certificate is valid for the host. Disabling it can allow for man-in-the-middle attacks.

Patches

This problem is fixed in Opencast 7.9 and Opencast 8.9

Self-Signed Certificates

Please be aware that fixing the problem means that Opencast will not simply accept any self-signed certificates any longer without properly importing them. If you need those, please make sure to import them into the Java key store. Better yet, get a valid certificate e.g. from Let's Encrypt.

References

@lkiesow lkiesow published to opencast/opencast Dec 8, 2020
Reviewed Dec 8, 2020
Published to the GitHub Advisory Database Dec 8, 2020
Last updated Jan 9, 2023

Severity

High

EPSS score

0.050%
(21st percentile)

Weaknesses

CVE ID

CVE-2020-26234

GHSA ID

GHSA-44cw-p2hm-gpf6

Source code

No known source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.