Lucene search

[email protected]CVE-2021-32623

HistoryJun 16, 2021 - 12:15 a.m.

CVE-2021-32623

2021-06-1600:15:07

CWE-776

[email protected]

web.nvd.nist.gov

opencast

cve-2021-32623

billion laughs attack

denial of service

nvd

cybersecurity

4 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:N/I:N/A:P

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

0.001 Low

EPSS

Percentile

32.1%

JSON

Opencast is a free and open source solution for automated video capture and distribution. Versions of Opencast prior to 9.6 are vulnerable to the billion laughs attack, which allows an attacker to easily execute a (seemingly permanent) denial of service attack, essentially taking down Opencast using a single HTTP request. To exploit this, users need to have ingest privileges, limiting the group of potential attackers The problem has been fixed in Opencast 9.6. There is no known workaround for this issue.

Affected configurations

Vulners

NVD

Node

opencastopencastRange<9.6

VendorProductVersionCPE
opencastopencast*cpe:2.3:a:opencast:opencast:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
opencast	opencast	*	cpe:2.3:a:opencast:opencast::::::::

CNA Affected

[
  {
    "product": "opencast",
    "vendor": "opencast",
    "versions": [
      {
        "status": "affected",
        "version": "< 9.6"
      }
    ]
  }
]