Information disclosure in Opencast
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2021-43821 |
| CWE-ID | CWE-552 |
| Exploitation vector | Network |
| Public exploit | Public exploit code for vulnerability #1 is available. |
| Vulnerable software Subscribe |
Opencast Other software / Other software solutions |
| Vendor | Apereo Foundation |
Security Bulletin
This security bulletin contains one medium risk vulnerability.
1) Files or Directories Accessible to External Parties
EUVDB-ID: #VU59086
Risk: Medium
CVSSv3.1: 6.9 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N/E:P/RL:O/RC:C]
CVE-ID: CVE-2021-43821
CWE-ID:
CWE-552 - Files or Directories Accessible to External Parties
Exploit availability: Yes
DescriptionThe vulnerability allows a remote user to gain access to sensitive information.
The vulnerability exists due to a logic error that allows references to local file URLs in ingested media packages. A remote user can include arbitrary local files from Opencast's host machine and make them publicly available via the web interface.
Install updates from vendor's website.
Vulnerable software versionsOpencast: 1.3.0 - 10.5
External linkshttp://github.com/opencast/opencast/security/advisories/GHSA-59g4-hpg3-3gcp
http://github.com/opencast/opencast/blob/69952463971cf578363e3b97d8edaf334ff51253/modules/ingest-service-impl/src/main/java/org/opencastproject/ingest/impl/IngestServiceImpl.java#L1587
http://mvnrepository.com/artifact/org.opencastproject/opencast-ingest-service-impl
http://github.com/opencast/opencast/commit/65c46b9d3e8f045c544881059923134571897764
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
