CVE-2024-28198

2024-03-1120:15:07

Google

osv.dev

openolat

e-learning platform

ssrf vulnerability

version 18.1.6

version 18.2.2

7.1 High

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

17.7%

JSON

OpenOlat is an open source web-based e-learning platform for teaching, learning, assessment and communication. By manually manipulating http requests when using the draw.io integration it is possible to read arbitrary files as the configured system user and SSRF. The problem is fixed in version 18.1.6 and 18.2.2. It is advised to upgrade to the latest version of 18.1.x or 18.2.x. Users unable to upgrade may work around this issue by disabling the Draw.io module or the entire REST API which will secure the system.

CPENameOperatorVersion
openolateqOpenOLAT_15.pre.3
openolateqOpenOLAT_8.0.3
openolateqOpenOLAT_14.1.2
openolateqOpenOLAT_15.5.4
openolateqOpenOLAT_15.pre.6
openolateqOpenOLAT_15.0.5
openolateqOpenOLAT_17.1.10
openolateqOpenOLAT_10.0.9
openolateqOpenOLAT_9.3.2
openolateqOpenOLAT_17.0.7

Name	Operator	Version
openolat	eq	OpenOLAT_15.pre.3
openolat	eq	OpenOLAT_8.0.3
openolat	eq	OpenOLAT_14.1.2
openolat	eq	OpenOLAT_15.5.4
openolat	eq	OpenOLAT_15.pre.6
openolat	eq	OpenOLAT_15.0.5
openolat	eq	OpenOLAT_17.1.10
openolat	eq	OpenOLAT_10.0.9
openolat	eq	OpenOLAT_9.3.2
openolat	eq	OpenOLAT_17.0.7