ghsa-hq8m-v68g-8cf8
Vulnerability from github
Published
2025-08-29 15:34
Modified
2025-08-29 21:13
Severity ?
2.7 (Low) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U
Summary
Opencast has a partial path traversal vulnerability in UI config
Details

The protections against path traversal attacks in the UI config module are insufficient, still partially allowing for attacks in very specific cases.

The path is checked without checking for the file separator. This could allow attackers access to files within another folder which starts with the same path. For example, the default UI config directory is placed at /etc/opencast/ui-config. Without this patch, an attacker can get access to files in a folder /etc/opencast/ui-config-hidden if those files are readable by Opencast.

General path traversal is not possible. For example, an attacker cannot exploit this to access files in /etc/opencast/encoding or even in /etc/opencast/ directly.

How dangerous is this?

Theoretically, this vulnerability may be exploited to get access to some non-public files. However, given the default structure of Opencast's configuration, this is extremely unlikely to hit any users. There can be but one ui-config folders. This makes it quite unlikely for any user to have created an additional folder starting with ui-config. Users could also rename this folder, but since there is no real reason for anyone to do this, this, again is extremely unlikely to trigger this issue.

How to fix the issue

  • To mitigate this, check if you have folders which start with the same path as your ui-config folder
  • A fix is available in https://github.com/opencast/opencast/pull/6979
  • Updating to Opencast 17.7 or 18.1 will fix the issue
Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.opencastproject:opencast-user-interface-configuration"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "17.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.opencastproject:opencast-user-interface-configuration"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "18.0"
            },
            {
              "fixed": "18.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "18.0"
      ]
    }
  ],
  "aliases": [
    "CVE-2025-55202"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-23"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-08-29T15:34:37Z",
    "nvd_published_at": "2025-08-29T16:15:36Z",
    "severity": "LOW"
  },
  "details": "The protections against path traversal attacks in the UI config module are insufficient, still partially allowing for attacks in very specific cases.\n\nThe path is checked without checking for the file separator. This could allow attackers access to files within another folder which starts with the same path. For example, the default UI config directory is placed at `/etc/opencast/ui-config`. Without this patch, an attacker can get access to files in a folder `/etc/opencast/ui-config-hidden` if those files are readable by Opencast.\n\nGeneral path traversal is not possible. For example, an attacker **cannot** exploit this to access files in `/etc/opencast/encoding` or even in `/etc/opencast/` directly.\n\n### How dangerous is this?\n\nTheoretically, this vulnerability may be exploited to get access to some non-public files. However, given the default structure of Opencast\u0027s configuration, this is extremely unlikely to hit any users. There can be but one `ui-config` folders. This makes it quite unlikely for any user to have created an additional folder starting with `ui-config`. Users could also rename this folder, but since there is no real reason for anyone to do this, this, again is extremely unlikely to trigger this issue.\n\n### How to fix the issue\n\n- To mitigate this, check if you have folders which start with the same path as your `ui-config` folder\n- A fix is available in https://github.com/opencast/opencast/pull/6979\n- Updating to Opencast 17.7 or 18.1 will fix the issue",
  "id": "GHSA-hq8m-v68g-8cf8",
  "modified": "2025-08-29T21:13:29Z",
  "published": "2025-08-29T15:34:37Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/opencast/opencast/security/advisories/GHSA-hq8m-v68g-8cf8"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55202"
    },
    {
      "type": "WEB",
      "url": "https://github.com/opencast/opencast/pull/6979"
    },
    {
      "type": "WEB",
      "url": "https://github.com/opencast/opencast/commit/e2cc65d6fbe052ebb71d9f6b583bb54b181af009"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/opencast/opencast"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Opencast has a partial path traversal vulnerability in UI config"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.