Files or Directories Accessible to External Parties in Opencast - CVE-2021-43821
Published: December 22, 2021 / Updated: December 27, 2021
Vulnerability identifier: #VU59086
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green
CVE-ID: CVE-2021-43821
CWE-ID: CWE-552
Exploitation vector: Remote access
Exploit availability:
Public exploit is available
Vendor: Apereo Foundation
Affected software:
Opencast
Opencast
Detailed vulnerability description
The vulnerability allows a remote user to gain access to sensitive information.
The vulnerability exists due to a logic error that allows references to local file URLs in ingested media packages. A remote user can include arbitrary local files from Opencast's host machine and make them publicly available via the web interface.
How to mitigate CVE-2021-43821
Install updates from vendor's website.
Sources
- https://github.com/opencast/opencast/security/advisories/GHSA-59g4-hpg3-3gcp
- https://github.com/opencast/opencast/blob/69952463971cf578363e3b97d8edaf334ff51253/modules/ingest-service-impl/src/main/java/org/opencastproject/ingest/impl/IngestServiceImpl.java#L1587
- https://mvnrepository.com/artifact/org.opencastproject/opencast-ingest-service-impl
- https://github.com/opencast/opencast/commit/65c46b9d3e8f045c544881059923134571897764