CVE-2021-39181 - OpenCVE

OpenOlat is a web-based learning management system (LMS). Prior to version 15.3.18, 15.5.3, and 16.0.0, using a prepared import XML file (e.g. a course) any class on the Java classpath can be instantiated, including spring AOP bean factories. This can be used to execute code arbitrary code by the attacker. The attack requires an OpenOlat user account with the authoring role. It can not be exploited by unregistered users. The problem is fixed in versions 15.3.18, 15.5.3, and 16.0.0. There are no known workarounds aside from upgrading.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:S/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Frentix	Openolat

Configuration 1 [-]

OR	cpe:2.3:a:frentix:openolat::::::::
	cpe:2.3:a:frentix:openolat::::::::

No data.

References

Link	Providers
https://github.com/OpenOLAT/OpenOLAT/commit/3f219ac457afde82e3be57bc614352ab92c05684
https://github.com/OpenOLAT/OpenOLAT/security/advisories/GHSA-596v-3gwh-2m9w
https://jira.openolat.org/browse/OO-5548

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2021-09-01T19:45:11

Updated: 2024-08-04T01:58:18.230Z

Reserved: 2021-08-16T00:00:00

Link: CVE-2021-39181

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-09-01T20:15:07.383

Modified: 2021-09-10T19:41:00.453

Link: CVE-2021-39181

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "OpenOLAT", "vendor": "OpenOLAT", "versions": [{"status": "affected", "version": "< 15.3.18"}, {"status": "affected", "version": ">= 15.4.0, < 15.5.3"}]}], "descriptions": [{"lang": "en", "value": "OpenOlat is a web-based learning management system (LMS). Prior to version 15.3.18, 15.5.3, and 16.0.0, using a prepared import XML file (e.g. a course) any class on the Java classpath can be instantiated, including spring AOP bean factories. This can be used to execute code arbitrary code by the attacker. The attack requires an OpenOlat user account with the authoring role. It can not be exploited by unregistered users. The problem is fixed in versions 15.3.18, 15.5.3, and 16.0.0. There are no known workarounds aside from upgrading."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-91", "description": "CWE-91: XML Injection (aka Blind XPath Injection)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-09-01T19:45:11", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/OpenOLAT/OpenOLAT/security/advisories/GHSA-596v-3gwh-2m9w"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/OpenOLAT/OpenOLAT/commit/3f219ac457afde82e3be57bc614352ab92c05684"}, {"tags": ["x_refsource_MISC"], "url": "https://jira.openolat.org/browse/OO-5548"}], "source": {"advisory": "GHSA-596v-3gwh-2m9w", "discovery": "UNKNOWN"}, "title": "Unsafe Deserialization of User Data Using XStream", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-39181", "STATE": "PUBLIC", "TITLE": "Unsafe Deserialization of User Data Using XStream"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "OpenOLAT", "version": {"version_data": [{"version_value": "< 15.3.18"}, {"version_value": ">= 15.4.0, < 15.5.3"}]}}]}, "vendor_name": "OpenOLAT"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "OpenOlat is a web-based learning management system (LMS). Prior to version 15.3.18, 15.5.3, and 16.0.0, using a prepared import XML file (e.g. a course) any class on the Java classpath can be instantiated, including spring AOP bean factories. This can be used to execute code arbitrary code by the attacker. The attack requires an OpenOlat user account with the authoring role. It can not be exploited by unregistered users. The problem is fixed in versions 15.3.18, 15.5.3, and 16.0.0. There are no known workarounds aside from upgrading."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-91: XML Injection (aka Blind XPath Injection)"}]}]}, "references": {"reference_data": [{"name": "https://github.com/OpenOLAT/OpenOLAT/security/advisories/GHSA-596v-3gwh-2m9w", "refsource": "CONFIRM", "url": "https://github.com/OpenOLAT/OpenOLAT/security/advisories/GHSA-596v-3gwh-2m9w"}, {"name": "https://github.com/OpenOLAT/OpenOLAT/commit/3f219ac457afde82e3be57bc614352ab92c05684", "refsource": "MISC", "url": "https://github.com/OpenOLAT/OpenOLAT/commit/3f219ac457afde82e3be57bc614352ab92c05684"}, {"name": "https://jira.openolat.org/browse/OO-5548", "refsource": "MISC", "url": "https://jira.openolat.org/browse/OO-5548"}]}, "source": {"advisory": "GHSA-596v-3gwh-2m9w", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T01:58:18.230Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/OpenOLAT/OpenOLAT/security/advisories/GHSA-596v-3gwh-2m9w"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/OpenOLAT/OpenOLAT/commit/3f219ac457afde82e3be57bc614352ab92c05684"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://jira.openolat.org/browse/OO-5548"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-39181", "datePublished": "2021-09-01T19:45:11", "dateReserved": "2021-08-16T00:00:00", "dateUpdated": "2024-08-04T01:58:18.230Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:frentix:openolat:*:*:*:*:*:*:*:*", "matchCriteriaId": "D18C8612-B20D-48F2-9C01-E85A5E518CD7", "versionEndExcluding": "15.3.18", "vulnerable": true}, {"criteria": "cpe:2.3:a:frentix:openolat:*:*:*:*:*:*:*:*", "matchCriteriaId": "9D657DED-9FB5-4E6E-BC7A-2E9F008F2C22", "versionEndExcluding": "15.5.3", "versionStartIncluding": "15.5.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenOlat is a web-based learning management system (LMS). Prior to version 15.3.18, 15.5.3, and 16.0.0, using a prepared import XML file (e.g. a course) any class on the Java classpath can be instantiated, including spring AOP bean factories. This can be used to execute code arbitrary code by the attacker. The attack requires an OpenOlat user account with the authoring role. It can not be exploited by unregistered users. The problem is fixed in versions 15.3.18, 15.5.3, and 16.0.0. There are no known workarounds aside from upgrading."}, {"lang": "es", "value": "OpenOlat es un sistema de administraci\u00f3n de aprendizaje (LMS) basado en la web. En versiones anteriores a 15.3.18, 15.5.3 y 16.0.0, usando un archivo XML de importaci\u00f3n preparado (por ejemplo, un curso) se puede instanciar cualquier clase en el classpath de Java, incluyendo las f\u00e1bricas de beans de Spring AOP. Esto puede ser usado para ejecutar c\u00f3digo arbitrario por el atacante. El ataque requiere una cuenta de usuario de OpenOlat con el rol de autor. No puede ser explotado por usuarios no registrados. El problema est\u00e1 corregido en las versiones 15.3.18, 15.5.3 y 16.0.0. No se conocen soluciones aparte de la actualizaci\u00f3n"}], "id": "CVE-2021-39181", "lastModified": "2021-09-10T19:41:00.453", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Primary"}]}, "published": "2021-09-01T20:15:07.383", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/OpenOLAT/OpenOLAT/commit/3f219ac457afde82e3be57bc614352ab92c05684"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/OpenOLAT/OpenOLAT/security/advisories/GHSA-596v-3gwh-2m9w"}, {"source": "security-advisories@github.com", "tags": ["Permissions Required"], "url": "https://jira.openolat.org/browse/OO-5548"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-91"}], "source": "security-advisories@github.com", "type": "Primary"}]}