SCA: security update for org.opencastproject:opencast-oaipmh-api (GHSA-6f54-3qr9-pjgj)

high Tenable Self-Hosted Container Security Plugin ID 423347

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Opencast before 8.1 and 7.6 allows unauthorized public access to all media and metadata by default via
OAI-PMH. OAI-PMH is part of the default workflow and is activated by default, requiring active user
intervention of users to protect media. This leads to users unknowingly handing out public access to
events without their knowledge. The problem has been addressed in Opencast 7.6 and 8.1 where the OAI-PMH
endpoint is configured to require users with `ROLE_ADMIN` by default. In addition to this, Opencast 9
removes the OAI-PMH publication from the default workflow, making the publication a conscious decision
users have to make by updating their workflows. (CVE-2020-5228)

See Also

https://github.com/advisories/GHSA-6f54-3qr9-pjgj

Plugin Details

Severity: High

ID: 423347

Version: Revision 1.3

Type: Local

Family: SCA Checks

Published: 3/29/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.18

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS Score Source: CVE-2020-5228

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 1/30/2020

Vulnerability Publication Date: 1/30/2020

Reference Information

CVE: CVE-2020-5228

cwe: CWE-862