CVE-2021-41242

Name of the Vulnerable Software and Affected Versions OpenOlat versions prior to 15.5.12 and 16.0.5

Description A path traversal issue exists in OpenOlat, allowing an attacker to create directory structures and write files anywhere on the target system by providing a filename with a relative path as a parameter in some REST methods. This could be used to write files in the web root folder or outside, depending on system configuration and application server user permissions. The attack requires an OpenOlat user account, an enabled REST API, and rights to call vulnerable REST calls.

Recommendations For versions prior to 15.5.12, update to version 15.5.12 or later. For versions prior to 16.0.5, update to version 16.0.5 or later. As a temporary workaround, consider disabling the REST module or limiting its access via firewall or web-server rules to only trusted systems.