CVE-2021-41242
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2021-41242
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-41242.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2021-41242
- Related
- Published
- 2021-12-10T23:15:09Z
- Modified
- 2025-10-15T13:23:14.587864Z
- Severity
-
- 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
OpenOlat is a web-basedlearning management system. A path traversal vulnerability exists in OpenOlat prior to versions 15.5.12 and 16.0.5. By providing a filename that contains a relative path as a parameter in some REST methods, it is possible to create directory structures and write files anywhere on the target system. The attack could be used to write files anywhere in the web root folder or outside, depending on the configuration of the system and the properly configured permission of the application server user. The attack requires an OpenOlat user account, an enabled REST API and the rights on a business object to call the vulnerable REST calls. The problem is fixed in version 15.5.12 and 16.0.5. There is a workaround available. The vulnerability requires the REST module to be enabled. Disabling the REST module or limiting the REST module via some firewall or web-server access rules to be accessed only be trusted systems will mitigate the risk.
- References
Affected packages
Git / github.com/openolat/openolat
Affected ranges
- Type
- GIT
- Repo
- https://github.com/openolat/openolat
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedFixed
Affected versions
OLAT-7.*
OLAT-7.1.0
OpenOLAT_10.*
OpenOLAT_10.0.0
OpenOLAT_10.0.1
OpenOLAT_10.0.2
OpenOLAT_10.0.3
OpenOLAT_10.0.4
OpenOLAT_10.0.5
OpenOLAT_10.0.6
OpenOLAT_10.0.7
OpenOLAT_10.0.8
OpenOLAT_10.0.9
OpenOLAT_10.1.0
OpenOLAT_10.1.1
OpenOLAT_10.1.2
OpenOLAT_10.1.3
OpenOLAT_10.2.0
OpenOLAT_10.2.1
OpenOLAT_10.2.2
OpenOLAT_10.2.3
OpenOLAT_10.2.4
OpenOLAT_10.2.5
OpenOLAT_10.3.0
OpenOLAT_10.3.1
OpenOLAT_10.3.2
OpenOLAT_10.3.3
OpenOLAT_10.3.4
OpenOLAT_10.3.5
OpenOLAT_10.3.6
OpenOLAT_10.3.7
OpenOLAT_10.3.8
OpenOLAT_10.4.0
OpenOLAT_10.4.1
OpenOLAT_10.4.10
OpenOLAT_10.4.11
OpenOLAT_10.4.2
OpenOLAT_10.4.3
OpenOLAT_10.4.4
OpenOLAT_10.4.5
OpenOLAT_10.4.6
OpenOLAT_10.4.7
OpenOLAT_10.4.8
OpenOLAT_10.4.9
OpenOLAT_10.5.0
OpenOLAT_10.5.1
OpenOLAT_10.5.2
OpenOLAT_10.5.3
OpenOLAT_10.5.4
OpenOLAT_10.5.5
OpenOLAT_10.5.6
OpenOLAT_10.5.7
OpenOLAT_10.5.8
OpenOLAT_10.5.9
OpenOLAT_11.*
OpenOLAT_11.0.10
OpenOLAT_11.0.2
OpenOLAT_11.0.3
OpenOLAT_11.0.4
OpenOLAT_11.0.5
OpenOLAT_11.0.6
OpenOLAT_11.0.7
OpenOLAT_11.0.8
OpenOLAT_11.0.9
OpenOLAT_11.0_0
OpenOLAT_11.0_1
OpenOLAT_11.1.0
OpenOLAT_11.1.1
OpenOLAT_11.1.2
OpenOLAT_11.2.0
OpenOLAT_11.2.1
OpenOLAT_11.2.2
OpenOLAT_11.2.3
OpenOLAT_11.2.4
OpenOLAT_11.3.0
OpenOLAT_11.3.1
OpenOLAT_11.3.2
OpenOLAT_11.3.3
OpenOLAT_11.4.0
OpenOLAT_11.4.1
OpenOLAT_11.4.2
OpenOLAT_11.4.3
OpenOLAT_11.5.0
OpenOLAT_11.5.1
OpenOLAT_11.5.2
OpenOLAT_11.5.3
OpenOLAT_11.5.4
OpenOLAT_11.5.5
OpenOLAT_12.*
OpenOLAT_12.0.0
OpenOLAT_12.0.1
OpenOLAT_12.0.2
OpenOLAT_12.1.0
OpenOLAT_12.1.1
OpenOLAT_12.1.2
OpenOLAT_12.1.3
OpenOLAT_12.1.4
OpenOLAT_12.1.5
OpenOLAT_12.2.0
OpenOLAT_12.2.1
OpenOLAT_12.2.2
OpenOLAT_12.2.3
OpenOLAT_12.2.4
OpenOLAT_12.2.5
OpenOLAT_12.2.6
OpenOLAT_12.2.7
OpenOLAT_12.2.8
OpenOLAT_12.3.0
OpenOLAT_12.3.1
OpenOLAT_12.3.2
OpenOLAT_12.3.3
OpenOLAT_12.4.0
OpenOLAT_12.4.1
OpenOLAT_12.4.2
OpenOLAT_12.4.3a
OpenOLAT_12.5.0
OpenOLAT_12.5.1
OpenOLAT_12.5.10
OpenOLAT_12.5.11
OpenOLAT_12.5.12
OpenOLAT_12.5.13
OpenOLAT_12.5.14
OpenOLAT_12.5.15
OpenOLAT_12.5.16
OpenOLAT_12.5.17
OpenOLAT_12.5.18
OpenOLAT_12.5.19
OpenOLAT_12.5.2
OpenOLAT_12.5.20
OpenOLAT_12.5.21
OpenOLAT_12.5.22
OpenOLAT_12.5.23
OpenOLAT_12.5.24
OpenOLAT_12.5.25
OpenOLAT_12.5.26
OpenOLAT_12.5.3
OpenOLAT_12.5.4
OpenOLAT_12.5.5
OpenOLAT_12.5.6
OpenOLAT_12.5.7
OpenOLAT_12.5.8
OpenOLAT_12.5.9
OpenOLAT_13.*
OpenOLAT_13.0.0
OpenOLAT_13.0.0beta1
OpenOLAT_13.0.0beta3
OpenOLAT_13.0.0beta4
OpenOLAT_13.0.0beta5
OpenOLAT_13.0.0beta6
OpenOLAT_13.0.0beta7
OpenOLAT_13.0.0beta8
OpenOLAT_13.0.0beta9
OpenOLAT_13.0.1
OpenOLAT_13.0.2
OpenOLAT_13.0.3
OpenOLAT_13.1.0
OpenOLAT_13.1.1
OpenOLAT_13.1.2
OpenOLAT_13.2.0
OpenOLAT_13.2.1
OpenOLAT_13.2.2
OpenOLAT_13.2.3
OpenOLAT_13.2.4
OpenOLAT_13.2.5
OpenOLAT_13.2.6
OpenOLAT_13.2.7
OpenOLAT_13.2.8
OpenOLAT_14.*
OpenOLAT_14.0.0
OpenOLAT_14.0.2
OpenOLAT_14.0.3
OpenOLAT_14.0.4
OpenOLAT_14.01
OpenOLAT_14.1.0
OpenOLAT_14.1.1
OpenOLAT_14.1.2
OpenOLAT_14.1.3
OpenOLAT_14.1.4
OpenOLAT_14.1.5
OpenOLAT_14.1.6
OpenOLAT_14.1.7
OpenOLAT_14.2.0
OpenOLAT_14.2.1
OpenOLAT_14.2.10
OpenOLAT_14.2.11
OpenOLAT_14.2.12
OpenOLAT_14.2.13
OpenOLAT_14.2.14
OpenOLAT_14.2.15
OpenOLAT_14.2.16
OpenOLAT_14.2.17
OpenOLAT_14.2.18
OpenOLAT_14.2.2
OpenOLAT_14.2.3
OpenOLAT_14.2.4
OpenOLAT_14.2.5
OpenOLAT_14.2.6
OpenOLAT_14.2.7
OpenOLAT_14.2.8
OpenOLAT_14.2.9
OpenOLAT_15.*
OpenOLAT_15.0.0
OpenOLAT_15.0.1
OpenOLAT_15.0.2
OpenOLAT_15.0.3
OpenOLAT_15.0.4
OpenOLAT_15.0.5
OpenOLAT_15.0.6
OpenOLAT_15.1.0
OpenOLAT_15.1.1
OpenOLAT_15.1.2
OpenOLAT_15.1.3
OpenOLAT_15.1.4
OpenOLAT_15.2.0
OpenOLAT_15.2.1
OpenOLAT_15.2.10
OpenOLAT_15.2.11
OpenOLAT_15.2.12
OpenOLAT_15.2.2
OpenOLAT_15.2.3
OpenOLAT_15.2.4
OpenOLAT_15.2.5
OpenOLAT_15.2.6
OpenOLAT_15.2.7
OpenOLAT_15.2.8
OpenOLAT_15.2.9
OpenOLAT_15.3.0
OpenOLAT_15.3.1
OpenOLAT_15.3.10
OpenOLAT_15.3.11
OpenOLAT_15.3.12
OpenOLAT_15.3.13
OpenOLAT_15.3.14
OpenOLAT_15.3.15
OpenOLAT_15.3.16
OpenOLAT_15.3.17
OpenOLAT_15.3.2
OpenOLAT_15.3.3
OpenOLAT_15.3.4
OpenOLAT_15.3.5
OpenOLAT_15.3.6
OpenOLAT_15.3.7
OpenOLAT_15.3.8
OpenOLAT_15.3.9
OpenOLAT_15.4.0
OpenOLAT_15.4.1
OpenOLAT_15.4.2
OpenOLAT_15.4.3
OpenOLAT_15.4.4
OpenOLAT_15.4.5
OpenOLAT_15.4.6
OpenOLAT_15.4.7
OpenOLAT_15.5.0
OpenOLAT_15.5.1
OpenOLAT_15.5.10
OpenOLAT_15.5.11
OpenOLAT_15.5.2
OpenOLAT_15.5.3
OpenOLAT_15.5.4
OpenOLAT_15.5.5
OpenOLAT_15.5.6
OpenOLAT_15.5.7
OpenOLAT_15.5.8
OpenOLAT_15.5.9
OpenOLAT_15.pre.0.a
OpenOLAT_15.pre.1
OpenOLAT_15.pre.2
OpenOLAT_15.pre.3
OpenOLAT_15.pre.4
OpenOLAT_15.pre.5
OpenOLAT_15.pre.6
OpenOLAT_15.pre.7
OpenOLAT_15.pre.8
OpenOLAT_15.pre.9
OpenOLAT_8.*
OpenOLAT_8.0
OpenOLAT_8.0.2
OpenOLAT_8.0.3
OpenOLAT_8.1
OpenOLAT_8.1.1
OpenOLAT_8.1.2
OpenOLAT_8.1.3
OpenOLAT_8.1.4
OpenOLAT_8.2.0
OpenOLAT_8.2.0beta
OpenOLAT_8.2.0beta2
OpenOLAT_8.2.1
OpenOLAT_8.3.0
OpenOLAT_8.3.1
OpenOLAT_8.3.2
OpenOLAT_8.3.3
OpenOLAT_8.3.4
OpenOLAT_8.3.5
OpenOLAT_8.4.0
OpenOLAT_8.4.0beta
OpenOLAT_8.4.1
OpenOLAT_8.4.2
OpenOLAT_8.4.3
OpenOLAT_8.4.4
OpenOLAT_9.*
OpenOLAT_9.0.0
OpenOLAT_9.0.1
OpenOLAT_9.0.2
OpenOLAT_9.0.3
OpenOLAT_9.0.4
OpenOLAT_9.0.5
OpenOLAT_9.0.6
OpenOLAT_9.1.0
OpenOLAT_9.1.1
OpenOLAT_9.1.2
OpenOLAT_9.2.0
OpenOLAT_9.2.1
OpenOLAT_9.3.0
OpenOLAT_9.3.1
OpenOLAT_9.3.2
OpenOLAT_9.3.3
OpenOLAT_9.3.4
OpenOLAT_9.3.5
OpenOLAT_9.4.0
OpenOLAT_9.4.1
OpenOLAT_9.4.2
OpenOLAT_9.4.3
OpenOLAT_9.4.4
Database specific
vanir_signatures
[
{
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/openolat/openolat/commit/c450df7d7ffe6afde39ebca6da9136f1caa16ec4",
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"16591160500666123975488325605155070110",
"100665183215985695254311426065527524110",
"71158026307726924876168560498819938360",
"316221648298398342083917309296201702018",
"11789282661309195128885001832927000708",
"244588074656346721043678584863227648857",
"328156663949702423022125207990843022133",
"203240347530580055087558401948260276847"
]
},
"target": {
"file": "src/main/java/org/olat/modules/fo/restapi/ForumWebService.java"
},
"id": "CVE-2021-41242-02573b92"
},
{
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/openolat/openolat/commit/c450df7d7ffe6afde39ebca6da9136f1caa16ec4",
"signature_type": "Function",
"digest": {
"function_hash": "208271659638530209688829043824549181138",
"length": 553.0
},
"target": {
"function": "createChildLeaf",
"file": "src/main/java/org/olat/core/util/vfs/LocalFolderImpl.java"
},
"id": "CVE-2021-41242-073dc9fc"
},
{
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/openolat/openolat/commit/336d5ce80681be61a0bbf4f73d2af5d1ff67e93a",
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"320278355283235652398642297825232387488",
"236610807588137003066226371698532720530",
"34222983940598867566658677244398982106",
"57818106509460738385226384730001096972",
"327205407065927632012015284829603627825",
"21495553221982015264466029811872671189",
"245713845584853316847134061285715232568",
"273972156022958867124216284584527022088",
"225310988203423325594159652405937789657",
"266132692990132325851538741194615649564",
"163808884341836382908301913022708763423",
"158829503291850337522416918799810542304"
]
},
"target": {
"file": "src/main/java/org/olat/core/util/vfs/LocalFolderImpl.java"
},
"id": "CVE-2021-41242-0bd798ce"
},
{
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/openolat/openolat/commit/c450df7d7ffe6afde39ebca6da9136f1caa16ec4",
"signature_type": "Function",
"digest": {
"function_hash": "248969689245966184597972483768621512304",
"length": 782.0
},
"target": {
"function": "configure",
"file": "src/main/java/org/olat/restapi/repository/course/CourseElementWebService.java"
},
"id": "CVE-2021-41242-30a4db1a"
},
{
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/openolat/openolat/commit/c450df7d7ffe6afde39ebca6da9136f1caa16ec4",
"signature_type": "Function",
"digest": {
"function_hash": "77954591868094361829508448538701202894",
"length": 212.0
},
"target": {
"function": "createChildContainer",
"file": "src/main/java/org/olat/core/util/vfs/LocalFolderImpl.java"
},
"id": "CVE-2021-41242-63fcce7e"
},
{
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/openolat/openolat/commit/336d5ce80681be61a0bbf4f73d2af5d1ff67e93a",
"signature_type": "Function",
"digest": {
"function_hash": "327463001640612651513419254341959472523",
"length": 408.0
},
"target": {
"function": "createChildContainer",
"file": "src/main/java/org/olat/core/util/vfs/LocalFolderImpl.java"
},
"id": "CVE-2021-41242-7c86aad5"
},
{
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/openolat/openolat/commit/c450df7d7ffe6afde39ebca6da9136f1caa16ec4",
"signature_type": "Function",
"digest": {
"function_hash": "133288298552251147923001419335724175014",
"length": 956.0
},
"target": {
"function": "servlet31",
"file": "src/main/java/org/olat/restapi/support/MultipartReader.java"
},
"id": "CVE-2021-41242-8230649e"
},
{
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/openolat/openolat/commit/c450df7d7ffe6afde39ebca6da9136f1caa16ec4",
"signature_type": "Function",
"digest": {
"function_hash": "62804653572434751744177832892976374493",
"length": 1557.0
},
"target": {
"function": "attachTaskFile",
"file": "src/main/java/org/olat/restapi/repository/course/CourseElementWebService.java"
},
"id": "CVE-2021-41242-b63f448f"
},
{
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/openolat/openolat/commit/336d5ce80681be61a0bbf4f73d2af5d1ff67e93a",
"signature_type": "Function",
"digest": {
"function_hash": "162742834709834075671274912804620410798",
"length": 733.0
},
"target": {
"function": "createChildLeaf",
"file": "src/main/java/org/olat/core/util/vfs/LocalFolderImpl.java"
},
"id": "CVE-2021-41242-c024e398"
},
{
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/openolat/openolat/commit/c450df7d7ffe6afde39ebca6da9136f1caa16ec4",
"signature_type": "Function",
"digest": {
"function_hash": "85991593109315339487917229920556882267",
"length": 1295.0
},
"target": {
"function": "configure",
"file": "src/main/java/org/olat/restapi/repository/course/CourseElementWebService.java"
},
"id": "CVE-2021-41242-e0572435"
},
{
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/openolat/openolat/commit/c450df7d7ffe6afde39ebca6da9136f1caa16ec4",
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"264133421874961225112747875464860711553",
"269322543030904853935112943709768760444",
"333561067874657751624450717061621783107",
"302644528610920512017149503708528648906"
]
},
"target": {
"file": "src/main/java/org/olat/restapi/support/MultipartReader.java"
},
"id": "CVE-2021-41242-e4493e87"
},
{
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/openolat/openolat/commit/c450df7d7ffe6afde39ebca6da9136f1caa16ec4",
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"303058766670438396775907679628930023131",
"30737509437614079727121606858734461528",
"95800378517820767849615121353582527307",
"70889691537032853282929337328971446396",
"245713845584853316847134061285715232568",
"268980720261238562998708971305430635809",
"107610766915088569059712366257705708896",
"245180970848087277472011939118805555893",
"53304387952289595722762465153500671138",
"33941203798336485885284678615612455727",
"248795306554591486284289112298744892099",
"269057004516163536815178360160375342391",
"254815627639795660733347555878747736689",
"135523685252031762308651532361194243121",
"241395343000584506397773932491057356840",
"19948223455247295719916640851110571164",
"912048355205961992098000378911698254"
]
},
"target": {
"file": "src/main/java/org/olat/core/util/vfs/LocalFolderImpl.java"
},
"id": "CVE-2021-41242-ffa9f42e"
},
{
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/openolat/openolat/commit/c450df7d7ffe6afde39ebca6da9136f1caa16ec4",
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"288038531229663637572926378469704382745",
"172675394836573427964411533013311004679",
"333690839865463089694304297910153902080",
"75438676271512263924868544569421332768",
"277736929138786242846816931364907809508",
"278153067770297542780140204469242655378",
"156735229352289512306763985152592863220",
"36644639786435257721122148587416325097",
"180047166880096356146253825894479452938",
"320548479226719302180468673209695753475",
"298198222819202193409820202736093671901",
"278858283114182573172973723556949203329",
"333720826957995505357127336849763237414",
"60934873948992922609448099997240853920",
"144352258769870960795453448543890798412",
"108306801764122273442674360166295196978",
"214306697320809722380753336340615822977",
"322872277023573329481244167706240405818",
"180047166880096356146253825894479452938",
"320548479226719302180468673209695753475",
"155542458626541859250089756563246559885",
"89379045401991261053554852853597175577"
]
},
"target": {
"file": "src/main/java/org/olat/restapi/repository/course/CourseElementWebService.java"
},
"id": "CVE-2021-41242-ffc279a3"
}
]