SB2021122209 - Information disclosure in Opencast
Published: December 22, 2021 Updated: December 27, 2021
Security Bulletin ID
SB2021122209
Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Information disclosure
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Files or Directories Accessible to External Parties (CVE-ID: CVE-2021-43821)
The vulnerability allows a remote user to gain access to sensitive information.
The vulnerability exists due to a logic error that allows references to local file URLs in ingested media packages. A remote user can include arbitrary local files from Opencast's host machine and make them publicly available via the web interface.
Remediation
Install update from vendor's website.
References
- https://github.com/opencast/opencast/security/advisories/GHSA-59g4-hpg3-3gcp
- https://github.com/opencast/opencast/blob/69952463971cf578363e3b97d8edaf334ff51253/modules/ingest-service-impl/src/main/java/org/opencastproject/ingest/impl/IngestServiceImpl.java#L1587
- https://mvnrepository.com/artifact/org.opencastproject/opencast-ingest-service-impl
- https://github.com/opencast/opencast/commit/65c46b9d3e8f045c544881059923134571897764