CVE Tools
Sign in

CVE-2020-26234

Disabled Hostname Verification in OpenCast

Published: Dec 8, 2020Updated: Nov 21, 2024 Sources: CVE List NVD GHSACWE-346
NVD MITRE
4.8CVSSMEDIUM
EPSS Score
0.3%
Top 80.9%
CISA KEV
Not in KEV
Exploits
No Known Exploits
Remediation
Patch Available

Description

Opencast before versions 8.9 and 7.9 disables HTTPS hostname verification of its HTTP client used for a large portion of Opencast's HTTP requests. Hostname verification is an important part when using HTTPS to ensure that the presented certificate is valid for the host. Disabling it can allow for man-in-the-middle attacks. This problem is fixed in Opencast 7.9 and Opencast 8.8 Please be aware that fixing the problem means that Opencast will not simply accept any self-signed certificates any longer without properly importing them. If you need those, please make sure to import them into the Java key store. Better yet, get a valid certificate.

CVSS Vector Breakdown

AV:NAC:HPR:LUI:RS:UC:NI:HA:N
Exploitability
AV:NAttack Vector
Network
AC:HAttack Complexity
High
PR:LPrivileges Required
Low
UI:RUser Interaction
Required
Scope
S:UScope
Unchanged
Impact
C:NConfidentiality
None
I:HIntegrity
High
A:NAvailability
None
Open in CVSS calculator →

Weaknesses

CWE-346

Affected Products

opencastopencast
On-prem
Communications / video-conferencing
org.opencastproject:opencast-kernelMavenOSS Libraries
opencastapereo
Mixed
Cloud & SaaS / saas-application
opencastoss-projectCommunications
mavenpackage-ecosystemOSS Libraries
apereooss-projectCloud & SaaSaka opencast, central authentication service, cas, phpcas

Exploitability

Official Patch Available

References

https://github.com/opencast/opencast/security/advisories/GHSA-44cw-p2hm-gpf6
github.com
https://github.com/opencast/opencast/commit/4225bf90af74557deaf8fb6b80b0705c9621acfc
github.com
https://nvd.nist.gov/vuln/detail/CVE-2020-26234
nvd.nist.gov

Timeline

Published
Dec 8, 2020
Last Updated
Nov 21, 2024

Unlock Complete Vulnerability Intelligence

Get the full picture for CVE-2020-26234 and every CVE in our database. Create a free account — no credit card required.

Create Free Account
Plain-language analysis
Impact assessment and exploitation scenario in plain English
Attack graph visualization
Interactive attack path and kill chain mapping
Exploit details & PoC links
ExploitDB, Metasploit, GitHub PoCs with direct links
Nuclei scanner templates
Ready-to-use vulnerability scanner templates
Full remediation guide
Patch instructions, workarounds, and compliance impact
Interactive AI chat
Ask questions about this vulnerability in natural language
Related vulnerabilities
Semantically similar CVEs and attack patterns
REST API & MCP access
Integrate vulnerability data into your workflows