Impact

The API searchAllEvents, which is used in the video-block editor, can return any listed event, even when the current user has no read access to said event. This allows users to obtain metadata and the thumbnail URL of events they should not be able to see. The video or subtitle tracks are not exposed, and neither is the Opencast ID. So to the best of my knowledge, users are not able to watch the actual video.

Note: this is not the API that is used for the main search. The main site search performs the "read access" check correctly.

As a reminder: an event is listed if its series or any events in that series are included on a public page somewhere (i.e. not user pages). And since only listed videos are exposed by this bug, it's rather unlikely that very sensitive/private videos are exposed.

You can check if any of your videos are potentially affected by running tobira db console and then executing:

select title from search_events where not 'ROLE_ANONYMOUS' = any(read_roles) and array_length(host_realms, 1) > 0

This shows all non-public events that are listed. The metadata and thumbnail of those events can be accessed by anyone.

Patches

Patched in v2.3 and later.

Workarounds

You can make affected events (see query above) unlisted by removing their inclusion on pages.