CVE-2025-55202

Description

The protections against path traversal attacks in the UI config module are insufficient, still partially allowing for attacks in very specific cases. The path is checked without checking for the file separator. This could allow attackers access to files within another folder which starts with the same path. For example, the default UI config directory is placed at `/etc/opencast/ui-config`. Without this patch, an attacker can get access to files in a folder `/etc/opencast/ui-config-hidden` if those files are readable by Opencast. General path traversal is not possible. For example, an attacker **cannot** exploit this to access files in `/etc/opencast/encoding` or even in `/etc/opencast/` directly. ### How dangerous is this? Theoretically, this vulnerability may be exploited to get access to some non-public files. However, given the default structure of Opencast's configuration, this is extremely unlikely to hit any users. There can be but one `ui-config` folders. This makes it quite unlikely for any user to have created an additional folder starting with `ui-config`. Users could also rename this folder, but since there is no real reason for anyone to do this, this, again is extremely unlikely to trigger this issue. ### How to fix the issue - To mitigate this, check if you have folders which start with the same path as your `ui-config` folder - A fix is available in https://github.com/opencast/opencast/pull/6979 - Updating to Opencast 17.7 or 18.1 will fix the issue

How to fix CVE-2025-55202

To remediate CVE-2025-55202, upgrade the affected package to a fixed version below.

—upgrade to 17.7 or later

Is CVE-2025-55202 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 17.7

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U