Plattform
java
Komponente
org.opencastproject:opencast-user-interface-configuration
Behoben in
17.7.1
18.0.1
17.7
CVE-2025-55202 describes a Path Traversal vulnerability discovered in the OpenCast UI Configuration module. This vulnerability allows attackers, under specific conditions, to access files within adjacent directories sharing a common path prefix. Versions of OpenCast UI Configuration up to and including 9.9 are affected. A fix is available in version 17.7.
The vulnerability stems from insufficient checks against path traversal attacks within the UI configuration module. Specifically, the path is validated without properly checking for file separators, enabling an attacker to potentially access files located in adjacent directories that share a common path prefix. For example, if the default UI configuration directory is /etc/opencast/ui-config, an attacker could gain access to files within a directory like /etc/opencast/ui-config-hidden, provided those files are readable by the Opencast process. While general path traversal is not possible, the potential for unauthorized file access within the Opencast environment poses a risk to sensitive configuration data or other files stored in adjacent directories.
This vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are not widely available, suggesting a low probability of immediate exploitation. The CVSS score of 2.5 (LOW) reflects the limited scope and difficulty of exploitation. The vulnerability was publicly disclosed on 2025-08-29.
Organizations deploying OpenCast for video management and streaming, particularly those using legacy configurations or shared hosting environments, are at risk. Systems with default directory structures and permissive file permissions are especially vulnerable.
• linux / server:
find /etc/opencast/ui-config/ -type f -perm -o -r -print0 | xargs -0 ls -l | grep -i 'ui-config-hidden'• java / server: Monitor OpenCast application logs for unusual file access attempts or errors related to path traversal. Look for patterns indicating attempts to access files outside the expected configuration directory. • generic web: Examine web server access logs for requests targeting the UI configuration endpoint with unusual path parameters. Look for attempts to manipulate the path to access files outside the intended directory.
disclosure
Exploit-Status
EPSS
0.07% (21% Perzentil)
CISA SSVC
The primary mitigation for CVE-2025-55202 is to upgrade OpenCast UI configuration to version 17.7 or later, which includes the necessary fix. If an immediate upgrade is not feasible, consider implementing stricter file permissions on the /etc/opencast/ui-config directory and any adjacent directories containing sensitive data. Ensure that only the Opencast process has read access to these files. While a WAF or proxy rule is unlikely to be effective for this specific vulnerability, reviewing and hardening the overall Opencast deployment is recommended. After upgrading, verify the fix by attempting to access a file outside the intended UI configuration directory using a crafted request; access should be denied.
Aktualisieren Sie Opencast auf Version 17.7 oder höher oder auf Version 18.1, um die Path Traversal Schwachstelle zu beheben. Als vorübergehende Maßnahme überprüfen Sie die UI-Konfiguration und stellen Sie sicher, dass es keine Ordner gibt, die mit demselben Pfad wie der ui-config-Ordner beginnen.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-55202 is a Path Traversal vulnerability affecting OpenCast UI Configuration versions up to 9.9, allowing potential access to files in adjacent directories under specific conditions.
You are affected if you are using OpenCast UI Configuration version 9.9 or earlier. Upgrade to version 17.7 to mitigate the vulnerability.
Upgrade OpenCast UI Configuration to version 17.7 or later. As a temporary workaround, restrict file permissions on the UI configuration directory and its adjacent directories.
There is currently no evidence of active exploitation of CVE-2025-55202, and no public proof-of-concept exploits are known.
Refer to the OpenCast project's security advisories and release notes for details on CVE-2025-55202 and the corresponding fix: [https://opencastproject.org/security/](https://opencastproject.org/security/)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine pom.xml-Datei hoch und wir sagen dir sofort, ob du betroffen bist.