CVE-2021-41152
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2021-41152
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-41152.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2021-41152
- Related
- Published
- 2021-10-18T21:15:08.143Z
- Modified
- 2025-11-14T12:23:56.050518Z
- Severity
-
- 7.7 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N CVSS Calculator
- Summary
- [none]
- Details
-
OpenOlat is a web-based e-learning platform for teaching, learning, assessment and communication, an LMS, a learning management system. In affected versions by manipulating the HTTP request an attacker can modify the path of a requested file download in the folder component to point to anywhere on the target system. The attack could be used to read any file accessible in the web root folder or outside, depending on the configuration of the system and the properly configured permission of the application server user. The attack requires an OpenOlat user account or the enabled guest user feature together with the usage of the folder component in a course. The attack does not allow writing of arbitrary files, it allows only reading of files and also only ready of files that the attacker knows the exact path which is very unlikely at least for OpenOlat data files. The problem is fixed in version 15.5.8 and 16.0.1 It is advised to upgrade to version 16.0.x. There are no known workarounds to fix this problem, an upgrade is necessary.
- References
Affected packages
Git / github.com/openolat/openolat
Affected ranges
- Type
- GIT
- Repo
- https://github.com/openolat/openolat
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
OLAT-7.*
OLAT-7.1.0
OpenOLAT_10.*
OpenOLAT_10.0.0
OpenOLAT_10.0.1
OpenOLAT_10.0.2
OpenOLAT_10.0.3
OpenOLAT_10.0.4
OpenOLAT_10.0.5
OpenOLAT_10.0.6
OpenOLAT_10.0.7
OpenOLAT_10.0.8
OpenOLAT_10.0.9
OpenOLAT_10.1.0
OpenOLAT_10.1.1
OpenOLAT_10.1.2
OpenOLAT_10.1.3
OpenOLAT_10.2.0
OpenOLAT_10.2.1
OpenOLAT_10.2.2
OpenOLAT_10.2.3
OpenOLAT_10.2.4
OpenOLAT_10.2.5
OpenOLAT_10.3.0
OpenOLAT_10.3.1
OpenOLAT_10.3.2
OpenOLAT_10.3.3
OpenOLAT_10.3.4
OpenOLAT_10.3.5
OpenOLAT_10.3.6
OpenOLAT_10.3.7
OpenOLAT_10.3.8
OpenOLAT_10.4.0
OpenOLAT_10.4.1
OpenOLAT_10.4.10
OpenOLAT_10.4.11
OpenOLAT_10.4.2
OpenOLAT_10.4.3
OpenOLAT_10.4.4
OpenOLAT_10.4.5
OpenOLAT_10.4.6
OpenOLAT_10.4.7
OpenOLAT_10.4.8
OpenOLAT_10.4.9
OpenOLAT_10.5.0
OpenOLAT_10.5.1
OpenOLAT_10.5.2
OpenOLAT_10.5.3
OpenOLAT_10.5.4
OpenOLAT_10.5.5
OpenOLAT_10.5.6
OpenOLAT_10.5.7
OpenOLAT_10.5.8
OpenOLAT_10.5.9
OpenOLAT_11.*
OpenOLAT_11.0.10
OpenOLAT_11.0.2
OpenOLAT_11.0.3
OpenOLAT_11.0.4
OpenOLAT_11.0.5
OpenOLAT_11.0.6
OpenOLAT_11.0.7
OpenOLAT_11.0.8
OpenOLAT_11.0.9
OpenOLAT_11.0_0
OpenOLAT_11.0_1
OpenOLAT_11.1.0
OpenOLAT_11.1.1
OpenOLAT_11.1.2
OpenOLAT_11.2.0
OpenOLAT_11.2.1
OpenOLAT_11.2.2
OpenOLAT_11.2.3
OpenOLAT_11.2.4
OpenOLAT_11.3.0
OpenOLAT_11.3.1
OpenOLAT_11.3.2
OpenOLAT_11.3.3
OpenOLAT_11.4.0
OpenOLAT_11.4.1
OpenOLAT_11.4.2
OpenOLAT_11.4.3
OpenOLAT_11.5.0
OpenOLAT_11.5.1
OpenOLAT_11.5.2
OpenOLAT_11.5.3
OpenOLAT_11.5.4
OpenOLAT_11.5.5
OpenOLAT_12.*
OpenOLAT_12.0.0
OpenOLAT_12.0.1
OpenOLAT_12.0.2
OpenOLAT_12.1.0
OpenOLAT_12.1.1
OpenOLAT_12.1.2
OpenOLAT_12.1.3
OpenOLAT_12.1.4
OpenOLAT_12.1.5
OpenOLAT_12.2.0
OpenOLAT_12.2.1
OpenOLAT_12.2.2
OpenOLAT_12.2.3
OpenOLAT_12.2.4
OpenOLAT_12.2.5
OpenOLAT_12.2.6
OpenOLAT_12.2.7
OpenOLAT_12.2.8
OpenOLAT_12.3.0
OpenOLAT_12.3.1
OpenOLAT_12.3.2
OpenOLAT_12.3.3
OpenOLAT_12.4.0
OpenOLAT_12.4.1
OpenOLAT_12.4.2
OpenOLAT_12.4.3a
OpenOLAT_12.5.0
OpenOLAT_12.5.1
OpenOLAT_12.5.10
OpenOLAT_12.5.11
OpenOLAT_12.5.12
OpenOLAT_12.5.13
OpenOLAT_12.5.14
OpenOLAT_12.5.15
OpenOLAT_12.5.16
OpenOLAT_12.5.17
OpenOLAT_12.5.18
OpenOLAT_12.5.19
OpenOLAT_12.5.2
OpenOLAT_12.5.20
OpenOLAT_12.5.21
OpenOLAT_12.5.22
OpenOLAT_12.5.23
OpenOLAT_12.5.24
OpenOLAT_12.5.25
OpenOLAT_12.5.26
OpenOLAT_12.5.3
OpenOLAT_12.5.4
OpenOLAT_12.5.5
OpenOLAT_12.5.6
OpenOLAT_12.5.7
OpenOLAT_12.5.8
OpenOLAT_12.5.9
OpenOLAT_13.*
OpenOLAT_13.0.0
OpenOLAT_13.0.0beta1
OpenOLAT_13.0.0beta3
OpenOLAT_13.0.0beta4
OpenOLAT_13.0.0beta5
OpenOLAT_13.0.0beta6
OpenOLAT_13.0.0beta7
OpenOLAT_13.0.0beta8
OpenOLAT_13.0.0beta9
OpenOLAT_13.0.1
OpenOLAT_13.0.2
OpenOLAT_13.0.3
OpenOLAT_13.1.0
OpenOLAT_13.1.1
OpenOLAT_13.1.2
OpenOLAT_13.2.0
OpenOLAT_13.2.1
OpenOLAT_13.2.2
OpenOLAT_13.2.3
OpenOLAT_13.2.4
OpenOLAT_13.2.5
OpenOLAT_13.2.6
OpenOLAT_13.2.7
OpenOLAT_13.2.8
OpenOLAT_14.*
OpenOLAT_14.0.0
OpenOLAT_14.0.2
OpenOLAT_14.0.3
OpenOLAT_14.0.4
OpenOLAT_14.01
OpenOLAT_14.1.0
OpenOLAT_14.1.1
OpenOLAT_14.1.2
OpenOLAT_14.1.3
OpenOLAT_14.1.4
OpenOLAT_14.1.5
OpenOLAT_14.1.6
OpenOLAT_14.1.7
OpenOLAT_14.2.0
OpenOLAT_14.2.1
OpenOLAT_14.2.10
OpenOLAT_14.2.11
OpenOLAT_14.2.12
OpenOLAT_14.2.13
OpenOLAT_14.2.14
OpenOLAT_14.2.15
OpenOLAT_14.2.16
OpenOLAT_14.2.17
OpenOLAT_14.2.18
OpenOLAT_14.2.2
OpenOLAT_14.2.3
OpenOLAT_14.2.4
OpenOLAT_14.2.5
OpenOLAT_14.2.6
OpenOLAT_14.2.7
OpenOLAT_14.2.8
OpenOLAT_14.2.9
OpenOLAT_15.*
OpenOLAT_15.0.0
OpenOLAT_15.0.1
OpenOLAT_15.0.2
OpenOLAT_15.0.3
OpenOLAT_15.0.4
OpenOLAT_15.0.5
OpenOLAT_15.0.6
OpenOLAT_15.1.0
OpenOLAT_15.1.1
OpenOLAT_15.1.2
OpenOLAT_15.1.3
OpenOLAT_15.1.4
OpenOLAT_15.2.0
OpenOLAT_15.2.1
OpenOLAT_15.2.10
OpenOLAT_15.2.11
OpenOLAT_15.2.12
OpenOLAT_15.2.2
OpenOLAT_15.2.3
OpenOLAT_15.2.4
OpenOLAT_15.2.5
OpenOLAT_15.2.6
OpenOLAT_15.2.7
OpenOLAT_15.2.8
OpenOLAT_15.2.9
OpenOLAT_15.3.0
OpenOLAT_15.3.1
OpenOLAT_15.3.10
OpenOLAT_15.3.11
OpenOLAT_15.3.12
OpenOLAT_15.3.13
OpenOLAT_15.3.14
OpenOLAT_15.3.15
OpenOLAT_15.3.16
OpenOLAT_15.3.17
OpenOLAT_15.3.2
OpenOLAT_15.3.3
OpenOLAT_15.3.4
OpenOLAT_15.3.5
OpenOLAT_15.3.6
OpenOLAT_15.3.7
OpenOLAT_15.3.8
OpenOLAT_15.3.9
OpenOLAT_15.4.0
OpenOLAT_15.4.1
OpenOLAT_15.4.2
OpenOLAT_15.4.3
OpenOLAT_15.4.4
OpenOLAT_15.4.5
OpenOLAT_15.4.6
OpenOLAT_15.4.7
OpenOLAT_15.5.0
OpenOLAT_15.5.1
OpenOLAT_15.5.2
OpenOLAT_15.5.3
OpenOLAT_15.5.4
OpenOLAT_15.5.5
OpenOLAT_15.5.6
OpenOLAT_15.5.7
OpenOLAT_15.pre.0.a
OpenOLAT_15.pre.1
OpenOLAT_15.pre.2
OpenOLAT_15.pre.3
OpenOLAT_15.pre.4
OpenOLAT_15.pre.5
OpenOLAT_15.pre.6
OpenOLAT_15.pre.7
OpenOLAT_15.pre.8
OpenOLAT_15.pre.9
OpenOLAT_8.*
OpenOLAT_8.0
OpenOLAT_8.0.2
OpenOLAT_8.0.3
OpenOLAT_8.1
OpenOLAT_8.1.1
OpenOLAT_8.1.2
OpenOLAT_8.1.3
OpenOLAT_8.1.4
OpenOLAT_8.2.0
OpenOLAT_8.2.0beta
OpenOLAT_8.2.0beta2
OpenOLAT_8.2.1
OpenOLAT_8.3.0
OpenOLAT_8.3.1
OpenOLAT_8.3.2
OpenOLAT_8.3.3
OpenOLAT_8.3.4
OpenOLAT_8.3.5
OpenOLAT_8.4.0
OpenOLAT_8.4.0beta
OpenOLAT_8.4.1
OpenOLAT_8.4.2
OpenOLAT_8.4.3
OpenOLAT_8.4.4
OpenOLAT_9.*
OpenOLAT_9.0.0
OpenOLAT_9.0.1
OpenOLAT_9.0.2
OpenOLAT_9.0.3
OpenOLAT_9.0.4
OpenOLAT_9.0.5
OpenOLAT_9.0.6
OpenOLAT_9.1.0
OpenOLAT_9.1.1
OpenOLAT_9.1.2
OpenOLAT_9.2.0
OpenOLAT_9.2.1
OpenOLAT_9.3.0
OpenOLAT_9.3.1
OpenOLAT_9.3.2
OpenOLAT_9.3.3
OpenOLAT_9.3.4
OpenOLAT_9.3.5
OpenOLAT_9.4.0
OpenOLAT_9.4.1
OpenOLAT_9.4.2
OpenOLAT_9.4.3
OpenOLAT_9.4.4
Database specific
vanir_signatures
[
{
"signature_version": "v1",
"signature_type": "Function",
"deprecated": false,
"digest": {
"function_hash": "37230997893396063972597037275420143191",
"length": 714.0
},
"id": "CVE-2021-41152-274fcf0b",
"target": {
"file": "src/main/java/org/olat/core/commons/modules/bc/commands/CmdDownloadZip.java",
"function": "execute"
},
"source": "https://github.com/openolat/openolat/commit/418bb509ffcb0e25ab4390563c6c47f0458583eb"
},
{
"signature_version": "v1",
"signature_type": "Function",
"deprecated": false,
"digest": {
"function_hash": "94287513934543284346126525798809755454",
"length": 1167.0
},
"id": "CVE-2021-41152-6e8eb4f4",
"target": {
"file": "src/main/java/org/olat/core/util/mail/ui/SendDocumentsByEMailController.java",
"function": "execute"
},
"source": "https://github.com/openolat/openolat/commit/418bb509ffcb0e25ab4390563c6c47f0458583eb"
},
{
"signature_version": "v1",
"signature_type": "Line",
"deprecated": false,
"digest": {
"line_hashes": [
"86717623330665120496031326163668972536",
"251072242806967888073132533343962860977",
"32457034648358490823220129595690224697",
"301209609550344131942330964586119774150"
],
"threshold": 0.9
},
"id": "CVE-2021-41152-70757292",
"target": {
"file": "src/main/java/org/olat/core/commons/modules/bc/commands/CmdMoveCopy.java"
},
"source": "https://github.com/openolat/openolat/commit/418bb509ffcb0e25ab4390563c6c47f0458583eb"
},
{
"signature_version": "v1",
"signature_type": "Function",
"deprecated": false,
"digest": {
"function_hash": "177443095175067134906098121982549311906",
"length": 177.0
},
"id": "CVE-2021-41152-86108698",
"target": {
"file": "src/main/java/org/olat/core/commons/modules/bc/FileSelection.java",
"function": "parse"
},
"source": "https://github.com/openolat/openolat/commit/418bb509ffcb0e25ab4390563c6c47f0458583eb"
},
{
"signature_version": "v1",
"signature_type": "Function",
"deprecated": false,
"digest": {
"function_hash": "316052137749478707706052036295686385818",
"length": 131.0
},
"id": "CVE-2021-41152-8a38badf",
"target": {
"file": "src/main/java/org/olat/core/commons/modules/bc/FileSelection.java",
"function": "FileSelection"
},
"source": "https://github.com/openolat/openolat/commit/418bb509ffcb0e25ab4390563c6c47f0458583eb"
},
{
"signature_version": "v1",
"signature_type": "Line",
"deprecated": false,
"digest": {
"line_hashes": [
"80473514006642633131981809312951840155",
"292576035416766925342917472940262353435",
"117740808469359736120830453476108969376",
"7387780290141339411793183550064077412",
"263746527166628539442081347357673494431",
"192810494996494322316260305931715289967",
"14312700508356220016356318939682885037",
"35429673842691676284690516800972076563",
"288814880909148013942226804586649256721",
"35570831742568115540926112127888368929",
"18335671290238607387389306567931678743",
"314170263751640978805915658350740778359",
"264012975826191915573176793306657550076",
"320215313141988971156825230800793861826",
"102419674002378334549789822032523371184",
"159747880980177518406325616793548604908",
"272804761526532695149644536912238298294",
"148232820546822870077796324103201568980",
"148038969776951357689338893496288131549"
],
"threshold": 0.9
},
"id": "CVE-2021-41152-8f363b9b",
"target": {
"file": "src/main/java/org/olat/core/commons/modules/bc/FileSelection.java"
},
"source": "https://github.com/openolat/openolat/commit/418bb509ffcb0e25ab4390563c6c47f0458583eb"
},
{
"signature_version": "v1",
"signature_type": "Function",
"deprecated": false,
"digest": {
"function_hash": "52017343667875642092412676418143035664",
"length": 768.0
},
"id": "CVE-2021-41152-93d63ba7",
"target": {
"file": "src/main/java/org/olat/core/commons/modules/bc/commands/CmdDelete.java",
"function": "execute"
},
"source": "https://github.com/openolat/openolat/commit/418bb509ffcb0e25ab4390563c6c47f0458583eb"
},
{
"signature_version": "v1",
"signature_type": "Line",
"deprecated": false,
"digest": {
"line_hashes": [
"225388238040251574302750543747225967216",
"76441486433985649060461301908988838409",
"78352974792646237695172154405455682498",
"39455147565886489597818479157511151483"
],
"threshold": 0.9
},
"id": "CVE-2021-41152-9e869568",
"target": {
"file": "src/main/java/org/olat/core/commons/modules/bc/commands/CmdUnzip.java"
},
"source": "https://github.com/openolat/openolat/commit/418bb509ffcb0e25ab4390563c6c47f0458583eb"
},
{
"signature_version": "v1",
"signature_type": "Function",
"deprecated": false,
"digest": {
"function_hash": "268990702816256723651842358809507242008",
"length": 2074.0
},
"id": "CVE-2021-41152-a8a6172a",
"target": {
"file": "src/main/java/org/olat/core/commons/modules/bc/commands/CmdUnzip.java",
"function": "execute"
},
"source": "https://github.com/openolat/openolat/commit/418bb509ffcb0e25ab4390563c6c47f0458583eb"
},
{
"signature_version": "v1",
"signature_type": "Line",
"deprecated": false,
"digest": {
"line_hashes": [
"123791303460811432165340330782384170349",
"10198707096846964694593697707696736481",
"185605951606308260193390768106158895762",
"90292922356063283910587630187143750303"
],
"threshold": 0.9
},
"id": "CVE-2021-41152-cfaef401",
"target": {
"file": "src/main/java/org/olat/core/commons/modules/bc/commands/CmdZip.java"
},
"source": "https://github.com/openolat/openolat/commit/418bb509ffcb0e25ab4390563c6c47f0458583eb"
},
{
"signature_version": "v1",
"signature_type": "Line",
"deprecated": false,
"digest": {
"line_hashes": [
"70951686129651440150823223013879687099",
"252185366706045822254390248742329713726",
"223759349789669610664831824445686231615",
"330355830692705847943950553386861311013",
"136279414941798873184847191427013089239",
"246131234933140273026774056169337191357",
"155137073474341561455083345948672522724",
"245482034438282721179187193260640106826"
],
"threshold": 0.9
},
"id": "CVE-2021-41152-e0809bf2",
"target": {
"file": "src/main/java/org/olat/core/commons/modules/bc/commands/CmdDownloadZip.java"
},
"source": "https://github.com/openolat/openolat/commit/418bb509ffcb0e25ab4390563c6c47f0458583eb"
},
{
"signature_version": "v1",
"signature_type": "Function",
"deprecated": false,
"digest": {
"function_hash": "173650894009391771760842423909294262635",
"length": 1013.0
},
"id": "CVE-2021-41152-e7a4a68d",
"target": {
"file": "src/main/java/org/olat/core/commons/modules/bc/commands/CmdMoveCopy.java",
"function": "execute"
},
"source": "https://github.com/openolat/openolat/commit/418bb509ffcb0e25ab4390563c6c47f0458583eb"
},
{
"signature_version": "v1",
"signature_type": "Line",
"deprecated": false,
"digest": {
"line_hashes": [
"98366211884560439465393510581894364779",
"132300245631748378012871120704563567370",
"328699086517979105903591411128201873414",
"201149948614933999970105145621268051840"
],
"threshold": 0.9
},
"id": "CVE-2021-41152-e874b74e",
"target": {
"file": "src/main/java/org/olat/core/commons/modules/bc/commands/CmdDelete.java"
},
"source": "https://github.com/openolat/openolat/commit/418bb509ffcb0e25ab4390563c6c47f0458583eb"
},
{
"signature_version": "v1",
"signature_type": "Function",
"deprecated": false,
"digest": {
"function_hash": "267528097173220458552165884497255948505",
"length": 819.0
},
"id": "CVE-2021-41152-f1adb6fa",
"target": {
"file": "src/main/java/org/olat/core/commons/modules/bc/commands/CmdZip.java",
"function": "execute"
},
"source": "https://github.com/openolat/openolat/commit/418bb509ffcb0e25ab4390563c6c47f0458583eb"
},
{
"signature_version": "v1",
"signature_type": "Line",
"deprecated": false,
"digest": {
"line_hashes": [
"70951686129651440150823223013879687099",
"252185366706045822254390248742329713726",
"223759349789669610664831824445686231615",
"330355830692705847943950553386861311013"
],
"threshold": 0.9
},
"id": "CVE-2021-41152-fa675aec",
"target": {
"file": "src/main/java/org/olat/core/util/mail/ui/SendDocumentsByEMailController.java"
},
"source": "https://github.com/openolat/openolat/commit/418bb509ffcb0e25ab4390563c6c47f0458583eb"
}
]