Opencast is a widely adopted open-source platform designed to manage and streamline educational audio and video content. A recent security vulnerability was identified, CVE-2022-41965, which affects Opencast versions prior to 12.5. This vulnerability can lead to authenticated users being redirected to arbitrary URLs, potentially exposing them to phishing attacks or other security risks. In this article, we will discuss the details of this vulnerability, provide code snippets for better understanding, and refer to the original sources.
Vulnerability Details
The CVE-2022-41965 vulnerability exists within the Paella authentication page of Opencast. Malicious actors can exploit this vulnerability by tricking authenticated users into clicking specifically crafted links that redirect them to external, potentially harmful websites. Once redirected, the user's security might be compromised through phishing or other attacks.
The core issue resides in the PaellaAccessController.java file, which is responsible for handling the authentication process. In the affected versions, the application does not validate the supplied returnUrl properly, thus allowing attackers to craft URLs that redirect users to external destinations upon successful authentication.
Here is the vulnerable code snippet from PaellaAccessController.java
@RequestMapping(method = RequestMethod.GET)
public ModelAndView form(HttpServletRequest request) {
...
String returnUrl = request.getParameter("returnUrl");
modelAndView.addObject("returnUrl", returnUrl);
...
return modelAndView;
}
As can be seen from the code above, the returnUrl parameter is fetched directly from the request and not validated before storing it in the ModelAndView object.
An attacker can create a malicious link like the following
https://malicious-website.com" rel="nofollow">https://example-opencast.com/paella/auth.html?returnUrl=https://malicious-website.com
When authenticated users click on this link, they would be redirected to https://malicious-website.com, where phishing attacks or other security threats may reside.
Mitigation
To address this vulnerability, Opencast released version 12.5, which has added appropriate validation for the returnUrl parameter. Users are encouraged to upgrade their Opencast installations to version 12.5 or later to mitigate the risks posed by CVE-2022-41965. The improved code snippet, as seen in version 12.5, is as follows:
@RequestMapping(method = RequestMethod.GET)
public ModelAndView form(HttpServletRequest request) {
...
String returnUrl = request.getParameter("returnUrl");
if (isValidReturnUrl(returnUrl)) {
modelAndView.addObject("returnUrl", returnUrl);
} else {
logger.warn("Invalid returnUrl supplied: {}", returnUrl);
}
...
return modelAndView;
}
private boolean isValidReturnUrl(String returnUrl) {
// validation logic here
}
Notice the introduction of the isValidReturnUrl method, which is now used to ensure that only valid URLs are stored in the ModelAndView object.
Original References
For more information about this vulnerability and the fixes included in Opencast version 12.5, you can refer to the following sources:
1. Official Opencast Release Notes - Version 12.5: https://github.com/opencast/opencast/releases/tag/12.5
2. CVE-2022-41965 - National Vulnerability Database (NVD): https://nvd.nist.gov/vuln/detail/CVE-2022-41965
Conclusion
In summary, CVE-2022-41965 is a security vulnerability that affected Opencast versions prior to 12.5. This issue enabled attackers to redirect users to external websites, potentially exposing them to phishing and other security threats. Users are urged to update their Opencast installations to version 12.5 or later to mitigate these risks.
Timeline
Published on: 11/28/2022 21:15:00 UTC
Last modified on: 12/01/2022 23:14:00 UTC