Headline
GHSA-hq8m-v68g-8cf8: Opencast has a partial path traversal vulnerability in UI config
The protections against path traversal attacks in the UI config module are insufficient, still partially allowing for attacks in very specific cases.
The path is checked without checking for the file separator. This could allow attackers access to files within another folder which starts with the same path. For example, the default UI config directory is placed at /etc/opencast/ui-config. Without this patch, an attacker can get access to files in a folder /etc/opencast/ui-config-hidden if those files are readable by Opencast.
General path traversal is not possible. For example, an attacker cannot exploit this to access files in /etc/opencast/encoding or even in /etc/opencast/ directly.
How dangerous is this?
Theoretically, this vulnerability may be exploited to get access to some non-public files. However, given the default structure of Opencast’s configuration, this is extremely unlikely to hit any users. There can be but one ui-config folders. This makes it quite unlikely for any user to have created an additional folder starting with ui-config. Users could also rename this folder, but since there is no real reason for anyone to do this, this, again is extremely unlikely to trigger this issue.
How to fix the issue
- To mitigate this, check if you have folders which start with the same path as your
ui-configfolder - A fix is available in https://github.com/opencast/opencast/pull/6979
- Updating to Opencast 17.7 or 18.1 will fix the issue
The protections against path traversal attacks in the UI config module are insufficient, still partially allowing for attacks in very specific cases.
The path is checked without checking for the file separator. This could allow attackers access to files within another folder which starts with the same path. For example, the default UI config directory is placed at /etc/opencast/ui-config. Without this patch, an attacker can get access to files in a folder /etc/opencast/ui-config-hidden if those files are readable by Opencast.
General path traversal is not possible. For example, an attacker cannot exploit this to access files in /etc/opencast/encoding or even in /etc/opencast/ directly.
How dangerous is this?
Theoretically, this vulnerability may be exploited to get access to some non-public files. However, given the default structure of Opencast’s configuration, this is extremely unlikely to hit any users. There can be but one ui-config folders. This makes it quite unlikely for any user to have created an additional folder starting with ui-config. Users could also rename this folder, but since there is no real reason for anyone to do this, this, again is extremely unlikely to trigger this issue.
How to fix the issue
- To mitigate this, check if you have folders which start with the same path as your ui-config folder
- A fix is available in opencast/opencast#6979
- Updating to Opencast 17.7 or 18.1 will fix the issue
References
- GHSA-hq8m-v68g-8cf8
- opencast/opencast#6979
- opencast/opencast@e2cc65d