CVE-2021-39181

OpenOlat is a web-based learning management system (LMS). Prior to version 15.3.18, 15.5.3, and 16.0.0, using a prepared import XML file (e.g. a course) any class on the Java classpath can be instantiated, including spring AOP bean factories. This can be used to execute code arbitrary code by the attacker. The attack requires an OpenOlat user account with the authoring role. It can not be exploited by unregistered users. The problem is fixed in versions 15.3.18, 15.5.3, and 16.0.0. There are no known workarounds aside from upgrading.

CVSS v3 8.8 HIGH
CVSS v2.0 6.5 MEDIUM

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

6.5^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:S/C:P/I:P/A:P

Exploitability : 8.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://github.com/OpenOLAT/OpenOLAT/commit/3f219ac457afde82e3be57bc614352ab92c05684	Patch Third Party Advisory
https://github.com/OpenOLAT/OpenOLAT/security/advisories/GHSA-596v-3gwh-2m9w	Third Party Advisory
https://jira.openolat.org/browse/OO-5548	Permissions Required

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:frentix:openolat::::::::
	cpe:2.3:a:frentix:openolat::::::::

History

No history.

Information

Published : 2021-09-01 20:15

Updated : 2021-09-10 19:41

NVD link : CVE-2021-39181

Mitre link : CVE-2021-39181

CVE.ORG link : CVE-2021-39181

JSON object : View

Products Affected

frentix

openolat

CWE

CWE-91

XML Injection (aka Blind XPath Injection)

{"id": "CVE-2021-39181", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2021-09-01T20:15:07.383", "references": [{"url": "https://github.com/OpenOLAT/OpenOLAT/commit/3f219ac457afde82e3be57bc614352ab92c05684", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/OpenOLAT/OpenOLAT/security/advisories/GHSA-596v-3gwh-2m9w", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://jira.openolat.org/browse/OO-5548", "tags": ["Permissions Required"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-91"}]}], "descriptions": [{"lang": "en", "value": "OpenOlat is a web-based learning management system (LMS). Prior to version 15.3.18, 15.5.3, and 16.0.0, using a prepared import XML file (e.g. a course) any class on the Java classpath can be instantiated, including spring AOP bean factories. This can be used to execute code arbitrary code by the attacker. The attack requires an OpenOlat user account with the authoring role. It can not be exploited by unregistered users. The problem is fixed in versions 15.3.18, 15.5.3, and 16.0.0. There are no known workarounds aside from upgrading."}, {"lang": "es", "value": "OpenOlat es un sistema de administraci\u00f3n de aprendizaje (LMS) basado en la web. En versiones anteriores a 15.3.18, 15.5.3 y 16.0.0, usando un archivo XML de importaci\u00f3n preparado (por ejemplo, un curso) se puede instanciar cualquier clase en el classpath de Java, incluyendo las f\u00e1bricas de beans de Spring AOP. Esto puede ser usado para ejecutar c\u00f3digo arbitrario por el atacante. El ataque requiere una cuenta de usuario de OpenOlat con el rol de autor. No puede ser explotado por usuarios no registrados. El problema est\u00e1 corregido en las versiones 15.3.18, 15.5.3 y 16.0.0. No se conocen soluciones aparte de la actualizaci\u00f3n"}], "lastModified": "2021-09-10T19:41:00.453", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:frentix:openolat:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D18C8612-B20D-48F2-9C01-E85A5E518CD7", "versionEndExcluding": "15.3.18"}, {"criteria": "cpe:2.3:a:frentix:openolat:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9D657DED-9FB5-4E6E-BC7A-2E9F008F2C22", "versionEndExcluding": "15.5.3", "versionStartIncluding": "15.5.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}