Unsafe Deserialization of User Data Using XStream
CVE-2021-39181

8.8HIGH

Key Information:

Vendor

Openolat

Status
Openolat
Vendor
CVE Published:
1 September 2021

What is CVE-2021-39181?

OpenOlat is a web-based learning management system (LMS). Prior to version 15.3.18, 15.5.3, and 16.0.0, using a prepared import XML file (e.g. a course) any class on the Java classpath can be instantiated, including spring AOP bean factories. This can be used to execute code arbitrary code by the attacker. The attack requires an OpenOlat user account with the authoring role. It can not be exploited by unregistered users. The problem is fixed in versions 15.3.18, 15.5.3, and 16.0.0. There are no known workarounds aside from upgrading.

Affected Version(s)

OpenOLAT < 15.3.18 < 15.3.18

OpenOLAT >= 15.4.0, < 15.5.3 < 15.4.0, 15.5.3

References

https://github.com/OpenOLAT/OpenOLAT/security/advisories/...
x_refsource_CONFIRM
https://github.com/OpenOLAT/OpenOLAT/commit/3f219ac457afd...
x_refsource_MISC
https://jira.openolat.org/browse/OO-5548
x_refsource_MISC

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.