Skip to content

Path Traversal in some REST methods leading to file upload to arbitrary places

High
gnaegi published GHSA-62hv-rfp4-hmrm Dec 10, 2021

Package

No package listed

Affected versions

< 15.5.12

Patched versions

15.5.12, 16.0.5

Description

Impact

By providing a filename that contains a relative path as a parameter in some REST methods it is possible to create directory structures and write files anywhere on the target system.

The attack could be used to write files anywhere in the web root folder or outside, depending on the configuration of the system and the properly configured permission of the application server user.

The attack requires an OpenOlat user account, an enabled REST API and the rights on a business object to call the vulnerable REST calls.

Patches

The problem is fixed in version 15.5.12 and 16.0.5. It is advised to upgrade to version 16.0.x

Workarounds

The vulnerability requires the REST module to be enabled. Disabling the REST module or limiting the REST module via some firewall or web-server access rules to be accessed only be trusted systems will mitigate the risk.

References

https://jira.openolat.org/browse/OO-5819 (only visible to members of the OpenOlat partner program)

For more information

If you have any questions or comments about this advisory:
Email us at contact@openolat.org

Severity

High

CVE ID

CVE-2021-41242

Weaknesses

Credits