CVE-2021-43821

Name: CVE-2021-43821
Creator: NVD / NIST
Published: 2021-12-14T20:15:07.617+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 7.7/10EPSS 1.96%

Last modified Jun 17, 2026

CVE-2021-43821 is a high-severity vulnerability rated 7.7/10 on the CVSS scale. Opencast is an Open Source Lecture Capture & Video Management for Education. Opencast before version 9.10 or 10.6 allows references to local file URLs in ingested media packages, allowing attackers to include local files from Opencast's host machines and making them available via the web interface. EPSS estimates a 1.96% chance of exploitation in the next 30 days.

Description

Opencast is an Open Source Lecture Capture & Video Management for Education. Opencast before version 9.10 or 10.6 allows references to local file URLs in ingested media packages, allowing attackers to include local files from Opencast's host machines and making them available via the web interface. Before Opencast 9.10 and 10.6, Opencast would open and include local files during ingests. Attackers could exploit this to include most local files the process has read access to, extracting secrets from the host machine. An attacker would need to have the privileges required to add new media to exploit this. But these are often widely given. The issue has been fixed in Opencast 10.6 and 11.0. You can mitigate this issue by narrowing down the read access Opencast has to files on the file system using UNIX permissions or mandatory access control systems like SELinux. This cannot prevent access to files Opencast needs to read though and we highly recommend updating.

Metrics

CVSS 3.1

7.7/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

EPSS Probability

1.96%

77.8th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Apereo	Opencast	< 10.6

References

https://github.com/opencast/opencast/blob/69952463971cf578363e3b97d8edaf334ff51253/modules/ingest-service-impl/src/main/java/org/opencastproject/ingest/impl/IngestServiceImpl.java#L1587Patch, Third Party Advisory
https://github.com/opencast/opencast/commit/65c46b9d3e8f045c544881059923134571897764Patch, Third Party Advisory
https://github.com/opencast/opencast/security/advisories/GHSA-59g4-hpg3-3gcpExploit, Third Party Advisory
https://mvnrepository.com/artifact/org.opencastproject/opencast-ingest-service-implThird Party Advisory
https://github.com/opencast/opencast/blob/69952463971cf578363e3b97d8edaf334ff51253/modules/ingest-service-impl/src/main/java/org/opencastproject/ingest/impl/IngestServiceImpl.java#L1587Patch, Third Party Advisory
https://github.com/opencast/opencast/commit/65c46b9d3e8f045c544881059923134571897764Patch, Third Party Advisory
https://github.com/opencast/opencast/security/advisories/GHSA-59g4-hpg3-3gcpExploit, Third Party Advisory
https://mvnrepository.com/artifact/org.opencastproject/opencast-ingest-service-implThird Party Advisory

Timeline

Published: Dec 14, 2021
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2021-43821?

How severe is CVE-2021-43821?

CVE-2021-43821 has a CVSS score of 7.7/10 (HIGH severity). The EPSS model estimates a 1.96% probability of exploitation in the next 30 days.

How do I fix CVE-2021-43821?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2021-43821?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST