Main Vulnerability Database Vulnerabilities #VU128161

Relative Path Traversal in OpenOlat - CVE-2021-41152

Published: October 15, 2021 / Updated: April 27, 2026

Vulnerability identifier: #VU128161

CSH Severity: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2021-41152

CWE-ID: CWE-23

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
OpenOlat

Software vendor:
OpenOlat

Description

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to relative path traversal in folder component file download handling when processing a manipulated HTTP request. A remote user can modify the requested download path to read arbitrary files to disclose sensitive information.

Exploitation requires an OpenOlat user account or the enabled guest user feature together with usage of the folder component in a course, and only files with known paths can be read.

Remediation

Install security update from vendor's website.

External links

https://github.com/OpenOLAT/OpenOLAT/security/advisories/GHSA-m8j5-837g-2p3f

Relative Path Traversal in OpenOlat - CVE-2021-41152

Description

Remediation

External links

Please verify you're human