Main Vulnerability Database SB2021101553

SB2021101553 - Relative Path Traversal in OpenOlat

Published: October 15, 2021 Updated: April 27, 2026

Security Bulletin ID SB2021101553

CSH Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Relative Path Traversal (CVE-ID: CVE-2021-41152)

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to relative path traversal in folder component file download handling when processing a manipulated HTTP request. A remote user can modify the requested download path to read arbitrary files to disclose sensitive information.

Exploitation requires an OpenOlat user account or the enabled guest user feature together with usage of the folder component in a course, and only files with known paths can be read.

Remediation

Install update from vendor's website.

References

https://github.com/OpenOLAT/OpenOLAT/security/advisories/GHSA-m8j5-837g-2p3f