{"containers": {"cna": {"affected": [{"product": "opencast", "vendor": "opencast", "versions": [{"status": "affected", "version": "< 9.6"}]}], "descriptions": [{"lang": "en", "value": "Opencast is a free and open source solution for automated video capture and distribution. Versions of Opencast prior to 9.6 are vulnerable to the billion laughs attack, which allows an attacker to easily execute a (seemingly permanent) denial of service attack, essentially taking down Opencast using a single HTTP request. To exploit this, users need to have ingest privileges, limiting the group of potential attackers The problem has been fixed in Opencast 9.6. There is no known workaround for this issue."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-776", "description": "CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-06-15T23:45:10", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/opencast/opencast/security/advisories/GHSA-9gwx-9cwp-5c2m"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/opencast/opencast/commit/8ae27da5a6f658011a5741b3210e715b0dc6213e"}], "source": {"advisory": "GHSA-9gwx-9cwp-5c2m", "discovery": "UNKNOWN"}, "title": "Opencast vulnerable to billion laughs attack (XML bomb)", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-32623", "STATE": "PUBLIC", "TITLE": "Opencast vulnerable to billion laughs attack (XML bomb)"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "opencast", "version": {"version_data": [{"version_value": "< 9.6"}]}}]}, "vendor_name": "opencast"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Opencast is a free and open source solution for automated video capture and distribution. Versions of Opencast prior to 9.6 are vulnerable to the billion laughs attack, which allows an attacker to easily execute a (seemingly permanent) denial of service attack, essentially taking down Opencast using a single HTTP request. To exploit this, users need to have ingest privileges, limiting the group of potential attackers The problem has been fixed in Opencast 9.6. There is no known workaround for this issue."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')"}]}]}, "references": {"reference_data": [{"name": "https://github.com/opencast/opencast/security/advisories/GHSA-9gwx-9cwp-5c2m", "refsource": "CONFIRM", "url": "https://github.com/opencast/opencast/security/advisories/GHSA-9gwx-9cwp-5c2m"}, {"name": "https://github.com/opencast/opencast/commit/8ae27da5a6f658011a5741b3210e715b0dc6213e", "refsource": "MISC", "url": "https://github.com/opencast/opencast/commit/8ae27da5a6f658011a5741b3210e715b0dc6213e"}]}, "source": {"advisory": "GHSA-9gwx-9cwp-5c2m", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T23:25:30.875Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/opencast/opencast/security/advisories/GHSA-9gwx-9cwp-5c2m"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/opencast/opencast/commit/8ae27da5a6f658011a5741b3210e715b0dc6213e"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-32623", "datePublished": "2021-06-15T23:45:10", "dateReserved": "2021-05-12T00:00:00", "dateUpdated": "2024-08-03T23:25:30.875Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apereo:opencast:*:*:*:*:*:*:*:*", "matchCriteriaId": "0A9BAD00-C232-4ACC-B2AA-4EC1C37CFECC", "versionEndExcluding": "9.6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Opencast is a free and open source solution for automated video capture and distribution. Versions of Opencast prior to 9.6 are vulnerable to the billion laughs attack, which allows an attacker to easily execute a (seemingly permanent) denial of service attack, essentially taking down Opencast using a single HTTP request. To exploit this, users need to have ingest privileges, limiting the group of potential attackers The problem has been fixed in Opencast 9.6. There is no known workaround for this issue."}, {"lang": "es", "value": "Opencast es una soluci\u00f3n gratuita y de c\u00f3digo abierto para la captura y distribuci\u00f3n autom\u00e1tica de v\u00eddeo. Las versiones de Opencast anteriores a versi\u00f3n 9.6 son vulnerables al ataque de los mil millones de risas, que permite a un atacante ejecutar f\u00e1cilmente un ataque de denegaci\u00f3n de servicio (aparentemente permanente), esencialmente derribando Opencast usando una \u00fanica petici\u00f3n HTTP. Para explotar esto, los usuarios necesitan tener privilegios de ingesta, limitando el grupo de atacantes potenciales. El problema se ha corregido en Opencast  versi\u00f3n 9.6. No se conoce ninguna soluci\u00f3n para este problema"}], "id": "CVE-2021-32623", "lastModified": "2024-11-21T06:07:24.060", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 4.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-06-16T00:15:07.717", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/opencast/opencast/commit/8ae27da5a6f658011a5741b3210e715b0dc6213e"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/opencast/opencast/security/advisories/GHSA-9gwx-9cwp-5c2m"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/opencast/opencast/commit/8ae27da5a6f658011a5741b3210e715b0dc6213e"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/opencast/opencast/security/advisories/GHSA-9gwx-9cwp-5c2m"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-776"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}