PT-2021-22439 · Openolat · Openolat

Gnaegi

Published

2021-09-01

Updated

2021-09-10

CVE-2021-39181

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions OpenOlat versions prior to 15.3.18, 15.5.3, and 16.0.0

Description OpenOlat is a web-based learning management system. The issue allows an attacker to execute arbitrary code using a prepared import XML file, such as a course, which can instantiate any class on the Java classpath, including spring AOP bean factories. This requires an OpenOlat user account with the authoring role and cannot be exploited by unregistered users.

Recommendations For versions prior to 15.3.18, upgrade to version 15.3.18 or later. For versions prior to 15.5.3, upgrade to version 15.5.3 or later. For versions prior to 16.0.0, upgrade to version 16.0.0 or later.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-91

Related Identifiers

CVE-2021-39181

GHSA-596V-3GWH-2M9W

Affected Products

Openolat

PT-2021-22439 · Openolat · Openolat

CVE-2021-39181

Weakness Enumeration

Related Identifiers

Affected Products

References · 7