Vulnerability Description
Opencast before versions 8.9 and 7.9 disables HTTPS hostname verification of its HTTP client used for a large portion of Opencast's HTTP requests. Hostname verification is an important part when using HTTPS to ensure that the presented certificate is valid for the host. Disabling it can allow for man-in-the-middle attacks. This problem is fixed in Opencast 7.9 and Opencast 8.8 Please be aware that fixing the problem means that Opencast will not simply accept any self-signed certificates any longer without properly importing them. If you need those, please make sure to import them into the Java key store. Better yet, get a valid certificate.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apereo | Opencast | < 7.9 |
Related Weaknesses (CWE)
References
- https://github.com/opencast/opencast/commit/4225bf90af74557deaf8fb6b80b0705c9621PatchThird Party Advisory
- https://github.com/opencast/opencast/security/advisories/GHSA-44cw-p2hm-gpf6Third Party Advisory
- https://github.com/opencast/opencast/commit/4225bf90af74557deaf8fb6b80b0705c9621PatchThird Party Advisory
- https://github.com/opencast/opencast/security/advisories/GHSA-44cw-p2hm-gpf6Third Party Advisory
FAQ
What is CVE-2020-26234?
CVE-2020-26234 is a vulnerability with a CVSS score of 4.8 (MEDIUM). Opencast before versions 8.9 and 7.9 disables HTTPS hostname verification of its HTTP client used for a large portion of Opencast's HTTP requests. Hostname verification is an important part when using...
How severe is CVE-2020-26234?
CVE-2020-26234 has been rated MEDIUM with a CVSS base score of 4.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-26234?
Check the references section above for vendor advisories and patch information. Affected products include: Apereo Opencast.