Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
7 vulnerabilities by OpenOLAT
CVE-2026-28228 (GCVE-0-2026-28228)
Vulnerability from cvelistv5 – Published: 2026-03-30 20:31 – Updated: 2026-03-31 18:53
VLAI?
Title
OpenOLAT: Server-Side Template Injection (SSTI) in Velocity templates allows Remote Code Execution
Summary
OpenOlat is an open source web-based e-learning platform for teaching, learning, assessment and communication. Prior to versions 19.1.31, 20.1.18, and 20.2.5, an authenticated user with the Author role can inject Velocity directives into a reminder email template. When the reminder is processed (either triggered manually or via the daily cron job), the injected directives are evaluated server-side. By chaining Velocity's #set directive with Java reflection, an attacker can instantiate arbitrary Java classes such as java.lang.ProcessBuilder and execute operating system commands with the privileges of the Tomcat process (typically root in containerized deployments). This issue has been patched in versions 19.1.31, 20.1.18, and 20.2.5.
Severity ?
8.8 (High)
CWE
- CWE-1336 - Improper Neutralization of Special Elements Used in a Template Engine
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-28228",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-31T18:51:12.402407Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-31T18:53:40.837Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "OpenOLAT",
"vendor": "OpenOLAT",
"versions": [
{
"status": "affected",
"version": "\u003c 19.1.31"
},
{
"status": "affected",
"version": "\u003c 20.1.18"
},
{
"status": "affected",
"version": "\u003c 20.2.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenOlat is an open source web-based e-learning platform for teaching, learning, assessment and communication. Prior to versions 19.1.31, 20.1.18, and 20.2.5, an authenticated user with the Author role can inject Velocity directives into a reminder email template. When the reminder is processed (either triggered manually or via the daily cron job), the injected directives are evaluated server-side. By chaining Velocity\u0027s #set directive with Java reflection, an attacker can instantiate arbitrary Java classes such as java.lang.ProcessBuilder and execute operating system commands with the privileges of the Tomcat process (typically root in containerized deployments). This issue has been patched in versions 19.1.31, 20.1.18, and 20.2.5."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1336",
"description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-30T20:31:23.135Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/OpenOLAT/OpenOLAT/security/advisories/GHSA-55qg-vvgj-ffh4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/OpenOLAT/OpenOLAT/security/advisories/GHSA-55qg-vvgj-ffh4"
}
],
"source": {
"advisory": "GHSA-55qg-vvgj-ffh4",
"discovery": "UNKNOWN"
},
"title": "OpenOLAT: Server-Side Template Injection (SSTI) in Velocity templates allows Remote Code Execution"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-28228",
"datePublished": "2026-03-30T20:31:23.135Z",
"dateReserved": "2026-02-25T15:28:40.651Z",
"dateUpdated": "2026-03-31T18:53:40.837Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31946 (GCVE-0-2026-31946)
Vulnerability from cvelistv5 – Published: 2026-03-30 20:31 – Updated: 2026-03-31 14:08
VLAI?
Title
OpenOLAT: Authentication bypass via forged JWT in OIDC implicit flow
Summary
OpenOlat is an open source web-based e-learning platform for teaching, learning, assessment and communication. From version 10.5.4 to before version 20.2.5, OpenOLAT's OpenID Connect implicit flow implementation does not verify JWT signatures. The JSONWebToken.parse() method silently discards the signature segment of the compact JWT (header.payload.signature), and the getAccessToken() methods in both OpenIdConnectApi and OpenIdConnectFullConfigurableApi only validate claim-level fields (issuer, audience, state, nonce) without any cryptographic signature verification against the Identity Provider's JWKS endpoint. This issue has been patched in version 20.2.5.
Severity ?
9.8 (Critical)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-31946",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-31T14:07:59.235405Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-31T14:08:07.327Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "OpenOLAT",
"vendor": "OpenOLAT",
"versions": [
{
"status": "affected",
"version": "\u003e= 10.5.4, \u003c 20.2.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenOlat is an open source web-based e-learning platform for teaching, learning, assessment and communication. From version 10.5.4 to before version 20.2.5, OpenOLAT\u0027s OpenID Connect implicit flow implementation does not verify JWT signatures. The JSONWebToken.parse() method silently discards the signature segment of the compact JWT (header.payload.signature), and the getAccessToken() methods in both OpenIdConnectApi and OpenIdConnectFullConfigurableApi only validate claim-level fields (issuer, audience, state, nonce) without any cryptographic signature verification against the Identity Provider\u0027s JWKS endpoint. This issue has been patched in version 20.2.5."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-347",
"description": "CWE-347: Improper Verification of Cryptographic Signature",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-30T20:31:14.919Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/OpenOLAT/OpenOLAT/security/advisories/GHSA-v8vp-x4q4-2vch",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/OpenOLAT/OpenOLAT/security/advisories/GHSA-v8vp-x4q4-2vch"
}
],
"source": {
"advisory": "GHSA-v8vp-x4q4-2vch",
"discovery": "UNKNOWN"
},
"title": "OpenOLAT: Authentication bypass via forged JWT in OIDC implicit flow"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-31946",
"datePublished": "2026-03-30T20:31:14.919Z",
"dateReserved": "2026-03-10T15:10:10.656Z",
"dateUpdated": "2026-03-31T14:08:07.327Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-28198 (GCVE-0-2024-28198)
Vulnerability from cvelistv5 – Published: 2024-03-11 19:38 – Updated: 2024-08-02 00:48
VLAI?
Title
XML external entity (XXE) injection in OpenOLAT
Summary
OpenOlat is an open source web-based e-learning platform for teaching, learning, assessment and communication. By manually manipulating http requests when using the draw.io integration it is possible to read arbitrary files as the configured system user and SSRF. The problem is fixed in version 18.1.6 and 18.2.2. It is advised to upgrade to the latest version of 18.1.x or 18.2.x. Users unable to upgrade may work around this issue by disabling the Draw.io module or the entire REST API which will secure the system.
Severity ?
4.6 (Medium)
CWE
- CWE-611 - Improper Restriction of XML External Entity Reference
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-28198",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-12T15:40:38.365291Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T18:03:59.212Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:48:49.441Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/OpenOLAT/OpenOLAT/security/advisories/GHSA-pqvm-h9mg-434c",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/OpenOLAT/OpenOLAT/security/advisories/GHSA-pqvm-h9mg-434c"
},
{
"name": "https://github.com/OpenOLAT/OpenOLAT/commit/23e6212e9412c3b099436159b8c8935321c91872",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/OpenOLAT/OpenOLAT/commit/23e6212e9412c3b099436159b8c8935321c91872"
},
{
"name": "https://track.frentix.com/issue/OO-7553/XXE-injection-in-draw.io-endpoint",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://track.frentix.com/issue/OO-7553/XXE-injection-in-draw.io-endpoint"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "OpenOLAT",
"vendor": "OpenOLAT",
"versions": [
{
"status": "affected",
"version": "\u003c 18.1.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenOlat is an open source web-based e-learning platform for teaching, learning, assessment and communication. By manually manipulating http requests when using the draw.io integration it is possible to read arbitrary files as the configured system user and SSRF. The problem is fixed in version 18.1.6 and 18.2.2. It is advised to upgrade to the latest version of 18.1.x or 18.2.x. Users unable to upgrade may work around this issue by disabling the Draw.io module or the entire REST API which will secure the system."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-611",
"description": "CWE-611: Improper Restriction of XML External Entity Reference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-11T19:38:26.088Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/OpenOLAT/OpenOLAT/security/advisories/GHSA-pqvm-h9mg-434c",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/OpenOLAT/OpenOLAT/security/advisories/GHSA-pqvm-h9mg-434c"
},
{
"name": "https://github.com/OpenOLAT/OpenOLAT/commit/23e6212e9412c3b099436159b8c8935321c91872",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OpenOLAT/OpenOLAT/commit/23e6212e9412c3b099436159b8c8935321c91872"
},
{
"name": "https://track.frentix.com/issue/OO-7553/XXE-injection-in-draw.io-endpoint",
"tags": [
"x_refsource_MISC"
],
"url": "https://track.frentix.com/issue/OO-7553/XXE-injection-in-draw.io-endpoint"
}
],
"source": {
"advisory": "GHSA-pqvm-h9mg-434c",
"discovery": "UNKNOWN"
},
"title": "XML external entity (XXE) injection in OpenOLAT"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-28198",
"datePublished": "2024-03-11T19:38:26.088Z",
"dateReserved": "2024-03-06T17:35:00.860Z",
"dateUpdated": "2024-08-02T00:48:49.441Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-41242 (GCVE-0-2021-41242)
Vulnerability from cvelistv5 – Published: 2021-12-10 22:25 – Updated: 2024-08-04 03:08
VLAI?
Title
Path Traversal in some REST methods leading to file upload to arbitrary places
Summary
OpenOlat is a web-basedlearning management system. A path traversal vulnerability exists in OpenOlat prior to versions 15.5.12 and 16.0.5. By providing a filename that contains a relative path as a parameter in some REST methods, it is possible to create directory structures and write files anywhere on the target system. The attack could be used to write files anywhere in the web root folder or outside, depending on the configuration of the system and the properly configured permission of the application server user. The attack requires an OpenOlat user account, an enabled REST API and the rights on a business object to call the vulnerable REST calls. The problem is fixed in version 15.5.12 and 16.0.5. There is a workaround available. The vulnerability requires the REST module to be enabled. Disabling the REST module or limiting the REST module via some firewall or web-server access rules to be accessed only be trusted systems will mitigate the risk.
Severity ?
8.1 (High)
CWE
- CWE-23 - Relative Path Traversal
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T03:08:31.500Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/OpenOLAT/OpenOLAT/security/advisories/GHSA-62hv-rfp4-hmrm"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/OpenOLAT/OpenOLAT/commit/336d5ce80681be61a0bbf4f73d2af5d1ff67e93a"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/OpenOLAT/OpenOLAT/commit/c450df7d7ffe6afde39ebca6da9136f1caa16ec4"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.openolat.org/browse/OO-5819"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "OpenOLAT",
"vendor": "OpenOLAT",
"versions": [
{
"status": "affected",
"version": "\u003c 15.5.12"
},
{
"status": "affected",
"version": "\u003e= 16.0.0, \u003c 16.0.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenOlat is a web-basedlearning management system. A path traversal vulnerability exists in OpenOlat prior to versions 15.5.12 and 16.0.5. By providing a filename that contains a relative path as a parameter in some REST methods, it is possible to create directory structures and write files anywhere on the target system. The attack could be used to write files anywhere in the web root folder or outside, depending on the configuration of the system and the properly configured permission of the application server user. The attack requires an OpenOlat user account, an enabled REST API and the rights on a business object to call the vulnerable REST calls. The problem is fixed in version 15.5.12 and 16.0.5. There is a workaround available. The vulnerability requires the REST module to be enabled. Disabling the REST module or limiting the REST module via some firewall or web-server access rules to be accessed only be trusted systems will mitigate the risk."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-23",
"description": "CWE-23: Relative Path Traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-12-10T22:25:13.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/OpenOLAT/OpenOLAT/security/advisories/GHSA-62hv-rfp4-hmrm"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OpenOLAT/OpenOLAT/commit/336d5ce80681be61a0bbf4f73d2af5d1ff67e93a"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OpenOLAT/OpenOLAT/commit/c450df7d7ffe6afde39ebca6da9136f1caa16ec4"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.openolat.org/browse/OO-5819"
}
],
"source": {
"advisory": "GHSA-62hv-rfp4-hmrm",
"discovery": "UNKNOWN"
},
"title": "Path Traversal in some REST methods leading to file upload to arbitrary places",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-41242",
"STATE": "PUBLIC",
"TITLE": "Path Traversal in some REST methods leading to file upload to arbitrary places"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "OpenOLAT",
"version": {
"version_data": [
{
"version_value": "\u003c 15.5.12"
},
{
"version_value": "\u003e= 16.0.0, \u003c 16.0.5"
}
]
}
}
]
},
"vendor_name": "OpenOLAT"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "OpenOlat is a web-basedlearning management system. A path traversal vulnerability exists in OpenOlat prior to versions 15.5.12 and 16.0.5. By providing a filename that contains a relative path as a parameter in some REST methods, it is possible to create directory structures and write files anywhere on the target system. The attack could be used to write files anywhere in the web root folder or outside, depending on the configuration of the system and the properly configured permission of the application server user. The attack requires an OpenOlat user account, an enabled REST API and the rights on a business object to call the vulnerable REST calls. The problem is fixed in version 15.5.12 and 16.0.5. There is a workaround available. The vulnerability requires the REST module to be enabled. Disabling the REST module or limiting the REST module via some firewall or web-server access rules to be accessed only be trusted systems will mitigate the risk."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-23: Relative Path Traversal"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/OpenOLAT/OpenOLAT/security/advisories/GHSA-62hv-rfp4-hmrm",
"refsource": "CONFIRM",
"url": "https://github.com/OpenOLAT/OpenOLAT/security/advisories/GHSA-62hv-rfp4-hmrm"
},
{
"name": "https://github.com/OpenOLAT/OpenOLAT/commit/336d5ce80681be61a0bbf4f73d2af5d1ff67e93a",
"refsource": "MISC",
"url": "https://github.com/OpenOLAT/OpenOLAT/commit/336d5ce80681be61a0bbf4f73d2af5d1ff67e93a"
},
{
"name": "https://github.com/OpenOLAT/OpenOLAT/commit/c450df7d7ffe6afde39ebca6da9136f1caa16ec4",
"refsource": "MISC",
"url": "https://github.com/OpenOLAT/OpenOLAT/commit/c450df7d7ffe6afde39ebca6da9136f1caa16ec4"
},
{
"name": "https://jira.openolat.org/browse/OO-5819",
"refsource": "MISC",
"url": "https://jira.openolat.org/browse/OO-5819"
}
]
},
"source": {
"advisory": "GHSA-62hv-rfp4-hmrm",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-41242",
"datePublished": "2021-12-10T22:25:13.000Z",
"dateReserved": "2021-09-15T00:00:00.000Z",
"dateUpdated": "2024-08-04T03:08:31.500Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-41152 (GCVE-0-2021-41152)
Vulnerability from cvelistv5 – Published: 2021-10-18 20:55 – Updated: 2024-08-04 02:59
VLAI?
Title
Path Traversal in Folder Component Leading to Local File Inclusion
Summary
OpenOlat is a web-based e-learning platform for teaching, learning, assessment and communication, an LMS, a learning management system. In affected versions by manipulating the HTTP request an attacker can modify the path of a requested file download in the folder component to point to anywhere on the target system. The attack could be used to read any file accessible in the web root folder or outside, depending on the configuration of the system and the properly configured permission of the application server user. The attack requires an OpenOlat user account or the enabled guest user feature together with the usage of the folder component in a course. The attack does not allow writing of arbitrary files, it allows only reading of files and also only ready of files that the attacker knows the exact path which is very unlikely at least for OpenOlat data files. The problem is fixed in version 15.5.8 and 16.0.1 It is advised to upgrade to version 16.0.x. There are no known workarounds to fix this problem, an upgrade is necessary.
Severity ?
7.7 (High)
CWE
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T02:59:31.617Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/OpenOLAT/OpenOLAT/security/advisories/GHSA-m8j5-837g-2p3f"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/OpenOLAT/OpenOLAT/commit/418bb509ffcb0e25ab4390563c6c47f0458583eb"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.openolat.org/browse/OO-5696"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "OpenOLAT",
"vendor": "OpenOLAT",
"versions": [
{
"status": "affected",
"version": "\u003c 15.5.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenOlat is a web-based e-learning platform for teaching, learning, assessment and communication, an LMS, a learning management system. In affected versions by manipulating the HTTP request an attacker can modify the path of a requested file download in the folder component to point to anywhere on the target system. The attack could be used to read any file accessible in the web root folder or outside, depending on the configuration of the system and the properly configured permission of the application server user. The attack requires an OpenOlat user account or the enabled guest user feature together with the usage of the folder component in a course. The attack does not allow writing of arbitrary files, it allows only reading of files and also only ready of files that the attacker knows the exact path which is very unlikely at least for OpenOlat data files. The problem is fixed in version 15.5.8 and 16.0.1 It is advised to upgrade to version 16.0.x. There are no known workarounds to fix this problem, an upgrade is necessary."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-23",
"description": "CWE-23: Relative Path Traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-10-18T20:55:12.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/OpenOLAT/OpenOLAT/security/advisories/GHSA-m8j5-837g-2p3f"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OpenOLAT/OpenOLAT/commit/418bb509ffcb0e25ab4390563c6c47f0458583eb"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.openolat.org/browse/OO-5696"
}
],
"source": {
"advisory": "GHSA-m8j5-837g-2p3f",
"discovery": "UNKNOWN"
},
"title": "Path Traversal in Folder Component Leading to Local File Inclusion",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-41152",
"STATE": "PUBLIC",
"TITLE": "Path Traversal in Folder Component Leading to Local File Inclusion"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "OpenOLAT",
"version": {
"version_data": [
{
"version_value": "\u003c 15.5.8"
}
]
}
}
]
},
"vendor_name": "OpenOLAT"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "OpenOlat is a web-based e-learning platform for teaching, learning, assessment and communication, an LMS, a learning management system. In affected versions by manipulating the HTTP request an attacker can modify the path of a requested file download in the folder component to point to anywhere on the target system. The attack could be used to read any file accessible in the web root folder or outside, depending on the configuration of the system and the properly configured permission of the application server user. The attack requires an OpenOlat user account or the enabled guest user feature together with the usage of the folder component in a course. The attack does not allow writing of arbitrary files, it allows only reading of files and also only ready of files that the attacker knows the exact path which is very unlikely at least for OpenOlat data files. The problem is fixed in version 15.5.8 and 16.0.1 It is advised to upgrade to version 16.0.x. There are no known workarounds to fix this problem, an upgrade is necessary."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-23: Relative Path Traversal"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/OpenOLAT/OpenOLAT/security/advisories/GHSA-m8j5-837g-2p3f",
"refsource": "CONFIRM",
"url": "https://github.com/OpenOLAT/OpenOLAT/security/advisories/GHSA-m8j5-837g-2p3f"
},
{
"name": "https://github.com/OpenOLAT/OpenOLAT/commit/418bb509ffcb0e25ab4390563c6c47f0458583eb",
"refsource": "MISC",
"url": "https://github.com/OpenOLAT/OpenOLAT/commit/418bb509ffcb0e25ab4390563c6c47f0458583eb"
},
{
"name": "https://jira.openolat.org/browse/OO-5696",
"refsource": "MISC",
"url": "https://jira.openolat.org/browse/OO-5696"
}
]
},
"source": {
"advisory": "GHSA-m8j5-837g-2p3f",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-41152",
"datePublished": "2021-10-18T20:55:12.000Z",
"dateReserved": "2021-09-15T00:00:00.000Z",
"dateUpdated": "2024-08-04T02:59:31.617Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-39181 (GCVE-0-2021-39181)
Vulnerability from cvelistv5 – Published: 2021-09-01 19:45 – Updated: 2024-08-04 01:58
VLAI?
Title
Unsafe Deserialization of User Data Using XStream
Summary
OpenOlat is a web-based learning management system (LMS). Prior to version 15.3.18, 15.5.3, and 16.0.0, using a prepared import XML file (e.g. a course) any class on the Java classpath can be instantiated, including spring AOP bean factories. This can be used to execute code arbitrary code by the attacker. The attack requires an OpenOlat user account with the authoring role. It can not be exploited by unregistered users. The problem is fixed in versions 15.3.18, 15.5.3, and 16.0.0. There are no known workarounds aside from upgrading.
Severity ?
8.8 (High)
CWE
- CWE-91 - XML Injection (aka Blind XPath Injection)
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:58:18.230Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/OpenOLAT/OpenOLAT/security/advisories/GHSA-596v-3gwh-2m9w"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/OpenOLAT/OpenOLAT/commit/3f219ac457afde82e3be57bc614352ab92c05684"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.openolat.org/browse/OO-5548"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "OpenOLAT",
"vendor": "OpenOLAT",
"versions": [
{
"status": "affected",
"version": "\u003c 15.3.18"
},
{
"status": "affected",
"version": "\u003e= 15.4.0, \u003c 15.5.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenOlat is a web-based learning management system (LMS). Prior to version 15.3.18, 15.5.3, and 16.0.0, using a prepared import XML file (e.g. a course) any class on the Java classpath can be instantiated, including spring AOP bean factories. This can be used to execute code arbitrary code by the attacker. The attack requires an OpenOlat user account with the authoring role. It can not be exploited by unregistered users. The problem is fixed in versions 15.3.18, 15.5.3, and 16.0.0. There are no known workarounds aside from upgrading."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-91",
"description": "CWE-91: XML Injection (aka Blind XPath Injection)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-01T19:45:11.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/OpenOLAT/OpenOLAT/security/advisories/GHSA-596v-3gwh-2m9w"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OpenOLAT/OpenOLAT/commit/3f219ac457afde82e3be57bc614352ab92c05684"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.openolat.org/browse/OO-5548"
}
],
"source": {
"advisory": "GHSA-596v-3gwh-2m9w",
"discovery": "UNKNOWN"
},
"title": "Unsafe Deserialization of User Data Using XStream",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-39181",
"STATE": "PUBLIC",
"TITLE": "Unsafe Deserialization of User Data Using XStream"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "OpenOLAT",
"version": {
"version_data": [
{
"version_value": "\u003c 15.3.18"
},
{
"version_value": "\u003e= 15.4.0, \u003c 15.5.3"
}
]
}
}
]
},
"vendor_name": "OpenOLAT"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "OpenOlat is a web-based learning management system (LMS). Prior to version 15.3.18, 15.5.3, and 16.0.0, using a prepared import XML file (e.g. a course) any class on the Java classpath can be instantiated, including spring AOP bean factories. This can be used to execute code arbitrary code by the attacker. The attack requires an OpenOlat user account with the authoring role. It can not be exploited by unregistered users. The problem is fixed in versions 15.3.18, 15.5.3, and 16.0.0. There are no known workarounds aside from upgrading."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-91: XML Injection (aka Blind XPath Injection)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/OpenOLAT/OpenOLAT/security/advisories/GHSA-596v-3gwh-2m9w",
"refsource": "CONFIRM",
"url": "https://github.com/OpenOLAT/OpenOLAT/security/advisories/GHSA-596v-3gwh-2m9w"
},
{
"name": "https://github.com/OpenOLAT/OpenOLAT/commit/3f219ac457afde82e3be57bc614352ab92c05684",
"refsource": "MISC",
"url": "https://github.com/OpenOLAT/OpenOLAT/commit/3f219ac457afde82e3be57bc614352ab92c05684"
},
{
"name": "https://jira.openolat.org/browse/OO-5548",
"refsource": "MISC",
"url": "https://jira.openolat.org/browse/OO-5548"
}
]
},
"source": {
"advisory": "GHSA-596v-3gwh-2m9w",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-39181",
"datePublished": "2021-09-01T19:45:11.000Z",
"dateReserved": "2021-08-16T00:00:00.000Z",
"dateUpdated": "2024-08-04T01:58:18.230Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-39180 (GCVE-0-2021-39180)
Vulnerability from cvelistv5 – Published: 2021-08-31 17:55 – Updated: 2024-08-04 01:58
VLAI?
Title
Path Traversal in Archive Handling Leading to Code Execution
Summary
OpenOLAT is a web-based learning management system (LMS). A path traversal vulnerability exists in versions prior to 15.3.18, 15.5.3, and 16.0.0. Using a specially prepared ZIP file, it is possible to overwrite any file that is writable by the application server user (e.g. the tomcat user). Depending on the configuration this can be limited to files of the OpenOlat user data directory, however, if not properly set up, the attack could also be used to overwrite application server config files, java code or even operating system files. The attack could be used to corrupt or modify any OpenOlat file such as course structures, config files or temporary test data. Those attack would require in-depth knowledge of the installation and thus more theoretical. If the app server configuration allows the execution of jsp files and the path to the context is known, it is also possible to execute java code. If the app server runs with the same user that is used to deploy the OpenOlat code or has write permissions on the OpenOlat code files and the path to the context is know, code injection is possible. The attack requires an OpenOlat user account to upload a ZIP file and trigger the unzip method. It can not be exploited by unregistered users. The problem is fixed in versions 15.3.18, 15.5.3 and 16.0.0. There are no known workarounds aside from upgrading.
Severity ?
8.1 (High)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:58:18.226Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/OpenOLAT/OpenOLAT/security/advisories/GHSA-x95v-2pgj-9x8j"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/OpenOLAT/OpenOLAT/commit/2cf73c972e23ccd69cc1e103e43c2c8253571d3e"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/OpenOLAT/OpenOLAT/commit/5668a41ab3f1753102a89757be013487544279d5"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/OpenOLAT/OpenOLAT/commit/699490be8e931af0ef1f135c55384db1f4232637"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.openolat.org/browse/OO-5549"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "OpenOLAT",
"vendor": "OpenOLAT",
"versions": [
{
"status": "affected",
"version": "\u003c 15.3.18"
},
{
"status": "affected",
"version": "\u003e= 15.4.0, \u003c 15.5.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenOLAT is a web-based learning management system (LMS). A path traversal vulnerability exists in versions prior to 15.3.18, 15.5.3, and 16.0.0. Using a specially prepared ZIP file, it is possible to overwrite any file that is writable by the application server user (e.g. the tomcat user). Depending on the configuration this can be limited to files of the OpenOlat user data directory, however, if not properly set up, the attack could also be used to overwrite application server config files, java code or even operating system files. The attack could be used to corrupt or modify any OpenOlat file such as course structures, config files or temporary test data. Those attack would require in-depth knowledge of the installation and thus more theoretical. If the app server configuration allows the execution of jsp files and the path to the context is known, it is also possible to execute java code. If the app server runs with the same user that is used to deploy the OpenOlat code or has write permissions on the OpenOlat code files and the path to the context is know, code injection is possible. The attack requires an OpenOlat user account to upload a ZIP file and trigger the unzip method. It can not be exploited by unregistered users. The problem is fixed in versions 15.3.18, 15.5.3 and 16.0.0. There are no known workarounds aside from upgrading."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-08-31T17:55:14.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/OpenOLAT/OpenOLAT/security/advisories/GHSA-x95v-2pgj-9x8j"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OpenOLAT/OpenOLAT/commit/2cf73c972e23ccd69cc1e103e43c2c8253571d3e"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OpenOLAT/OpenOLAT/commit/5668a41ab3f1753102a89757be013487544279d5"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OpenOLAT/OpenOLAT/commit/699490be8e931af0ef1f135c55384db1f4232637"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.openolat.org/browse/OO-5549"
}
],
"source": {
"advisory": "GHSA-x95v-2pgj-9x8j",
"discovery": "UNKNOWN"
},
"title": "Path Traversal in Archive Handling Leading to Code Execution",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-39180",
"STATE": "PUBLIC",
"TITLE": "Path Traversal in Archive Handling Leading to Code Execution"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "OpenOLAT",
"version": {
"version_data": [
{
"version_value": "\u003c 15.3.18"
},
{
"version_value": "\u003e= 15.4.0, \u003c 15.5.3"
}
]
}
}
]
},
"vendor_name": "OpenOLAT"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "OpenOLAT is a web-based learning management system (LMS). A path traversal vulnerability exists in versions prior to 15.3.18, 15.5.3, and 16.0.0. Using a specially prepared ZIP file, it is possible to overwrite any file that is writable by the application server user (e.g. the tomcat user). Depending on the configuration this can be limited to files of the OpenOlat user data directory, however, if not properly set up, the attack could also be used to overwrite application server config files, java code or even operating system files. The attack could be used to corrupt or modify any OpenOlat file such as course structures, config files or temporary test data. Those attack would require in-depth knowledge of the installation and thus more theoretical. If the app server configuration allows the execution of jsp files and the path to the context is known, it is also possible to execute java code. If the app server runs with the same user that is used to deploy the OpenOlat code or has write permissions on the OpenOlat code files and the path to the context is know, code injection is possible. The attack requires an OpenOlat user account to upload a ZIP file and trigger the unzip method. It can not be exploited by unregistered users. The problem is fixed in versions 15.3.18, 15.5.3 and 16.0.0. There are no known workarounds aside from upgrading."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/OpenOLAT/OpenOLAT/security/advisories/GHSA-x95v-2pgj-9x8j",
"refsource": "CONFIRM",
"url": "https://github.com/OpenOLAT/OpenOLAT/security/advisories/GHSA-x95v-2pgj-9x8j"
},
{
"name": "https://github.com/OpenOLAT/OpenOLAT/commit/2cf73c972e23ccd69cc1e103e43c2c8253571d3e",
"refsource": "MISC",
"url": "https://github.com/OpenOLAT/OpenOLAT/commit/2cf73c972e23ccd69cc1e103e43c2c8253571d3e"
},
{
"name": "https://github.com/OpenOLAT/OpenOLAT/commit/5668a41ab3f1753102a89757be013487544279d5",
"refsource": "MISC",
"url": "https://github.com/OpenOLAT/OpenOLAT/commit/5668a41ab3f1753102a89757be013487544279d5"
},
{
"name": "https://github.com/OpenOLAT/OpenOLAT/commit/699490be8e931af0ef1f135c55384db1f4232637",
"refsource": "MISC",
"url": "https://github.com/OpenOLAT/OpenOLAT/commit/699490be8e931af0ef1f135c55384db1f4232637"
},
{
"name": "https://jira.openolat.org/browse/OO-5549",
"refsource": "MISC",
"url": "https://jira.openolat.org/browse/OO-5549"
}
]
},
"source": {
"advisory": "GHSA-x95v-2pgj-9x8j",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-39180",
"datePublished": "2021-08-31T17:55:14.000Z",
"dateReserved": "2021-08-16T00:00:00.000Z",
"dateUpdated": "2024-08-04T01:58:18.226Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}