CVE-2021-41152

Name of the Vulnerable Software and Affected Versions OpenOlat versions prior to 15.5.8 OpenOlat versions prior to 16.0.1

Description OpenOlat is a web-based e-learning platform. In affected versions, an attacker can modify the path of a requested file download in the folder component to point to anywhere on the target system by manipulating the HTTP request. This could allow reading of any file accessible in the web root folder or outside, depending on the system configuration and application server user permissions. The attack requires an OpenOlat user account or the enabled guest user feature, along with the usage of the folder component in a course. It only allows reading of files, not writing, and the attacker must know the exact path of the file.

Recommendations For versions prior to 15.5.8, upgrade to version 15.5.8 or later. For versions prior to 16.0.1, upgrade to version 16.0.1 or later. As a general recommendation, consider upgrading to version 16.0.x to ensure the issue is resolved. At the moment, there are no known workarounds to fix this problem, an upgrade is necessary.