CVE-2025-55202: 
Java vulnerability analysis and mitigation

Opencast, a free open-source platform for managing educational audio and video content, disclosed a path traversal vulnerability (CVE-2025-55202) affecting version 18.0 and versions before 17.7. The vulnerability was discovered in the UI config module where protections against path traversal attacks were found to be insufficient (NVD, GitHub Advisory).

The vulnerability stems from improper path validation in the UI config module, where the path is checked without verifying the file separator. This could allow attackers to access files within another folder that starts with the same path. For example, if the default UI config directory is at '/etc/opencast/ui-config', an attacker could potentially access files in '/etc/opencast/ui-config-hidden'. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) and CVSS v4.0 score of 2.7 (Low) (NVD).

The vulnerability could potentially allow unauthorized access to non-public files within similarly named directories. However, the impact is limited as general path traversal is not possible - attackers cannot exploit this to access files in other directories like '/etc/opencast/encoding' or '/etc/opencast/' directly. The practical impact is considered low due to the default structure of Opencast's configuration, which typically includes only one ui-config folder (GitHub Advisory).

The vulnerability has been fixed in versions 17.7 and 18.1. Users are advised to upgrade to these patched versions. As a temporary mitigation, administrators should check for and remove any folders that start with the same path as their ui-config folder (GitHub Commit, GitHub Advisory).