GHSA-hq8m-v68g-8cf8

Suggest an improvement
Source
https://github.com/advisories/GHSA-hq8m-v68g-8cf8
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-hq8m-v68g-8cf8/GHSA-hq8m-v68g-8cf8.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-hq8m-v68g-8cf8
Aliases
Published
2025-08-29T15:34:37Z
Modified
2025-08-29T21:51:18.208325Z
Severity
  • 2.7 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U CVSS Calculator
Summary
Opencast has a partial path traversal vulnerability in UI config
Details

The protections against path traversal attacks in the UI config module are insufficient, still partially allowing for attacks in very specific cases.

The path is checked without checking for the file separator. This could allow attackers access to files within another folder which starts with the same path. For example, the default UI config directory is placed at /etc/opencast/ui-config. Without this patch, an attacker can get access to files in a folder /etc/opencast/ui-config-hidden if those files are readable by Opencast.

General path traversal is not possible. For example, an attacker cannot exploit this to access files in /etc/opencast/encoding or even in /etc/opencast/ directly.

How dangerous is this?

Theoretically, this vulnerability may be exploited to get access to some non-public files. However, given the default structure of Opencast's configuration, this is extremely unlikely to hit any users. There can be but one ui-config folders. This makes it quite unlikely for any user to have created an additional folder starting with ui-config. Users could also rename this folder, but since there is no real reason for anyone to do this, this, again is extremely unlikely to trigger this issue.

How to fix the issue

  • To mitigate this, check if you have folders which start with the same path as your ui-config folder
  • A fix is available in https://github.com/opencast/opencast/pull/6979
  • Updating to Opencast 17.7 or 18.1 will fix the issue
Database specific 
{
    "severity": "LOW",
    "github_reviewed": true,
    "github_reviewed_at": "2025-08-29T15:34:37Z",
    "nvd_published_at": "2025-08-29T16:15:36Z",
    "cwe_ids": [
        "CWE-23"
    ]
}
References

Affected packages

Maven / org.opencastproject:opencast-user-interface-configuration

Package

Name
org.opencastproject:opencast-user-interface-configuration
View open source insights on deps.dev
Purl
pkg:maven/org.opencastproject/opencast-user-interface-configuration

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
17.7

Affected versions

7.*

7.2
7.3
7.4
7.5
7.6
7.7
7.8
7.9

8.*

8.0
8.1
8.3
8.4
8.5
8.6
8.7
8.8
8.9
8.10
8.11

9.*

9.0
9.1
9.2
9.3
9.4
9.5
9.6
9.9
9.10
9.11
9.12

10.*

10.0
10.1
10.2
10.3
10.4
10.5
10.6
10.7
10.8
10.9
10.10
10.11
10.12

11.*

11.0
11.1
11.2
11.3
11.4
11.5
11.6
11.7
11.8
11.9
11.10
11.11

12.*

12.0
12.1
12.2
12.3
12.5
12.6
12.7
12.8
12.9
12.11
12.12
12.13

13.*

13.0
13.1
13.2
13.4
13.5
13.6
13.7
13.8
13.10
13.11
13.12

14.*

14.0
14.1
14.2
14.3
14.5
14.6
14.7
14.8
14.9
14.10
14.11
14.12
14.13

15.*

15.0
15.1
15.2
15.3
15.4
15.5
15.6
15.7
15.8
15.9
15.10
15.11
15.12
15.13

16.*

16.0
16.1
16.2
16.3
16.4
16.5
16.6
16.7
16.8
16.9
16.10

Maven / org.opencastproject:opencast-user-interface-configuration

Package

Name
org.opencastproject:opencast-user-interface-configuration
View open source insights on deps.dev
Purl
pkg:maven/org.opencastproject/opencast-user-interface-configuration

Affected ranges

Type
ECOSYSTEM
Events
Introduced
18.0
Fixed
18.1

Affected versions

18.*

18.0