Detections
Analytics

SCA: security update for org.opencastproject:opencast-kernel (GHSA-44cw-p2hm-gpf6)

medium Tenable Cloud Security Plugin ID 409932

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

 - Opencast before versions 8.9 and 7.9 disables HTTPS hostname verification of its HTTP client used for a
 large portion of Opencast's HTTP requests. Hostname verification is an important part when using HTTPS to
 ensure that the presented certificate is valid for the host. Disabling it can allow for man-in-the-middle
 attacks. This problem is fixed in Opencast 7.9 and Opencast 8.8 Please be aware that fixing the problem
 means that Opencast will not simply accept any self-signed certificates any longer without properly
 importing them. If you need those, please make sure to import them into the Java key store. Better yet,
 get a valid certificate. (CVE-2020-26234)

See Also

https://github.com/advisories/GHSA-44cw-p2hm-gpf6

Plugin Details

Severity: Medium

ID: 409932

Version: Revision 1.3

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 8/11/2025

Risk Information

VPR

Risk Factor: Low

Score: 3.6

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Low

Base Score: 2.1

Temporal Score: 1.6

Vector: CVSS2#AV:N/AC:H/Au:S/C:N/I:P/A:N

CVSS Score Source: CVE-2020-26234

CVSS v3

Risk Factor: Medium

Base Score: 4.8

Temporal Score: 4.2

Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 12/8/2020

Vulnerability Publication Date: 12/8/2020

Reference Information

CVE: CVE-2020-26234

cwe: CWE-297