VYPR
Get started
← All advisories
Critical severityNVD Advisory· Published Dec 14, 2021· Updated Aug 4, 2024

Files Accessible to External Parties in Opencast

CVE-2021-43821

Description

Opencast is an Open Source Lecture Capture & Video Management for Education. Opencast before version 9.10 or 10.6 allows references to local file URLs in ingested media packages, allowing attackers to include local files from Opencast's host machines and making them available via the web interface. Before Opencast 9.10 and 10.6, Opencast would open and include local files during ingests. Attackers could exploit this to include most local files the process has read access to, extracting secrets from the host machine. An attacker would need to have the privileges required to add new media to exploit this. But these are often widely given. The issue has been fixed in Opencast 10.6 and 11.0. You can mitigate this issue by narrowing down the read access Opencast has to files on the file system using UNIX permissions or mandatory access control systems like SELinux. This cannot prevent access to files Opencast needs to read though and we highly recommend updating.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.opencastproject:opencast-ingest-service-implMaven
< 10.610.6

Affected products

1

Patches

1
65c46b9d3e8f

Merge pull request from GHSA-59g4-hpg3-3gcp

https://github.com/opencast/opencastGreg LoganDec 13, 2021via ghsa
commit
2 files changed · +14 1
  • modules/ingest-service-impl/src/main/java/org/opencastproject/ingest/impl/IngestServiceImpl.java+6 1 modified
    @@ -315,6 +315,8 @@ public class IngestServiceImpl extends AbstractJobProducer implements IngestServ
   private boolean skipCatalogs = DEFAULT_SKIP;
   private boolean skipAttachments = DEFAULT_SKIP;
 
+  protected boolean testMode = false;
+
   /**
    * Creates a new ingest service instance.
    */
@@ -1601,8 +1603,11 @@ protected URI addContentToRepo(MediaPackage mp, String elementId, URI uri) throw
           throw new IOException(uri + " returns http " + httpStatusCode);
         }
         in = response.getEntity().getContent();
-      } else {
+        //If it does not start with file, or we're in test mode (ie, to allow arbitrary file:// access)
+      } else if (!uri.toString().startsWith("file") || testMode) {
         in = uri.toURL().openStream();
+      } else {
+        throw new IOException("Refusing to fetch files from the local filesystem");
       }
       String fileName = FilenameUtils.getName(uri.getPath());
       if (isBlank(FilenameUtils.getExtension(fileName)))
  • modules/ingest-service-impl/src/test/java/org/opencastproject/ingest/impl/IngestServiceImplTest.java+8 0 modified
    @@ -344,6 +344,7 @@ protected CloseableHttpClient getNoAuthHttpClient() {
     Dictionary<String, String> p = new Hashtable<>();
     p.put(IngestServiceImpl.DOWNLOAD_SOURCE, "http://localhost.*|http://www.test.com/.*");
     service.updated(p);
+    service.testMode = true;
   }
 
   @After
@@ -491,6 +492,13 @@ public void testAuthWhitelist() throws Exception {
     testAuthWhitelist("http://www.example.org/testfile", "http://localhost.*", true, false, true);
     //Matching regex
     testAuthWhitelist("http://www.example.org/testfile", "http://localhost.*|http://www.example.org/.*", false, true, true);
+
+    //Local filesystem should be actively rejected.  This file needs to *not* be in the resources directory (look in the impl for why), and needs to be readable by the user running the test
+    //NB: This is a horrible, horrible hack, but it's the only way I can think of to get *out* of test-classes.  If you try and ../ your way up above that getResource NPEs, as expected.
+    testAuthWhitelist(getClass().getResource("./../../../../").toURI().resolve("../../pom.xml").toString(), ".*", true, false, false);
+    //Test to ensure we can't use '..' to get around filters.  Removing the ".." works as expected, see below
+    testAuthWhitelist(getClass().getResource("./../impl/IngestServiceImplTest.class").toURI().toString(), ".*", true, false, false);
+    testAuthWhitelist(getClass().getResource("./IngestServiceImplTest.class").toURI().toString(), ".*", false, false, false);
   }

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.