Main Vulnerability Database SB2021121035

SB2021121035 - Relative Path Traversal in OpenOlat

Published: December 10, 2021 Updated: April 27, 2026

Security Bulletin ID SB2021121035

CSH Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Relative Path Traversal (CVE-ID: CVE-2021-41242)

The vulnerability allows a remote user to write files to arbitrary locations on the target system.

The vulnerability exists due to relative path traversal in some REST methods when processing a filename parameter containing a relative path. A remote user can supply a crafted filename parameter to write files to arbitrary locations on the target system.

Exploitation requires an enabled REST API and rights on a business object to call the vulnerable REST methods.

Remediation

Install update from vendor's website.

References

https://github.com/OpenOLAT/OpenOLAT/security/advisories/GHSA-62hv-rfp4-hmrm