Security

SECURITY.md

Security Policy

Supported Versions

Only the current and previous major Opencast release are supported. This means that if N.x is the latest release, N.x and (N-1).x are supported. Older versions will not receive any additional updates.

Reporting a Vulnerability

Please report security-related bugs by sending an email to security@opencast.org. Everything else should be filed as a ticket in our issue tracker

The Opencast Security Issue Process describes how issues are reported, who is responsible for what actions, and how things are handled internally.

Authenticated OpenRedirect Vulnerability
GHSA-r3qr-vwvg-43f7 published Nov 28, 2022 by gregorydlogan

Moderate
Limited Authentication Bypass for Media Files
GHSA-qm6v-cg9v-53j3 published May 19, 2022 by lkiesow

Low
Apache Log4j Remote Code Execution
GHSA-mf4f-j588-5xm8 published Dec 13, 2021 by lkiesow

Critical
Files Accessible to External Parties
GHSA-59g4-hpg3-3gcp published Dec 14, 2021 by gregorydlogan

Critical
HTTP Method Spoofing
GHSA-j4mm-7pj3-jf7v published Dec 14, 2021 by lkiesow

High
Removing access may not effect published series
GHSA-vpc2-3wcv-qj4w published Feb 17, 2021 by lkiesow

Low
Disabled Hostname Verification
GHSA-44cw-p2hm-gpf6 published Dec 8, 2020 by lkiesow

High
Opencast vulnerable to billion laughs attack (XML bomb)
GHSA-9gwx-9cwp-5c2m published Jun 15, 2021 by lkiesow

High
Users with ROLE_COURSE_ADMIN can create new users
GHSA-94qw-r73x-j7hg published Jan 29, 2020 by lkiesow

Moderate
Authentication Bypass For Endpoints With Anonymous Access
GHSA-vmm6-w4cf-7f3x published Jan 29, 2020 by lkiesow

Critical

Learn more about advisories related to opencast/opencast in the GitHub Advisory Database