CVE-2021-43821: 
Java vulnerability analysis and mitigation

CVE-2021-43821 affects Opencast versions before 10.6, allowing attackers to reference local file URLs in ingested media packages. This vulnerability was discovered and disclosed on December 14, 2021. The issue affects the opencast-ingest-service-impl Maven package and impacts Opencast installations running versions prior to 10.6 (GitHub Advisory).

The vulnerability stems from Opencast's ingest service implementation allowing references to local file URLs during media package ingestion. The service would open and include local files during ingests without proper validation, enabling access to files that the Opencast process has read permissions for. The issue is tracked as CWE-552, indicating an unsafe file access vulnerability (GitHub Advisory).

An attacker with privileges to add new media could exploit this vulnerability to extract sensitive files from the host machine through the web interface. For example, they could access configuration files like custom.properties by submitting a specially crafted request to the ingest endpoint. While the attack requires media addition privileges, these permissions are commonly granted to many users (GitHub Advisory).

The vulnerability has been patched in Opencast versions 10.6 and 11.0. For systems that cannot be immediately updated, mitigation can be achieved by restricting Opencast's read access to files using UNIX permissions or mandatory access control systems like SELinux. However, this workaround cannot prevent access to files that Opencast needs to read, making updating to a patched version the recommended solution (GitHub Advisory).