CVE-2021-39181
Summary
| CVE | CVE-2021-39181 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2021-09-01 20:15:00 UTC |
| Updated | 2021-09-10 19:41:00 UTC |
| Description | OpenOlat is a web-based learning management system (LMS). Prior to version 15.3.18, 15.5.3, and 16.0.0, using a prepared import XML file (e.g. a course) any class on the Java classpath can be instantiated, including spring AOP bean factories. This can be used to execute code arbitrary code by the attacker. The attack requires an OpenOlat user account with the authoring role. It can not be exploited by unregistered users. The problem is fixed in versions 15.3.18, 15.5.3, and 16.0.0. There are no known workarounds aside from upgrading. |
Risk And Classification
Problem Types: CWE-91
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Log in - OpenOlat Issue Management | MISC | jira.openolat.org | |
| Unsafe Deserialization of User Data Using XStream · Advisory · OpenOLAT/OpenOLAT · GitHub | CONFIRM | github.com | |
| OO-5548: setup security of XStream by default · OpenOLAT/OpenOLAT@3f219ac · GitHub | MISC | github.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.