CVE-2025-27101: Broken Access Control in Opal filesystem's copy functionality exposes all user data
Description
Opal is OBiBa’s core database application for biobanks or epidemiological studies. Prior to version 5.1.1, when copying any parent directory to a folder in the /temp/ directory, all files in that parent directory are copied, including files which the user should not have access to. All users of the application are impacted, as this is exploitable by any user to reveal all files in the opal filesystem. This also means that low-privilege users such as DataShield users can retrieve the files of other users. Version 5.1.1 contains a patch for the issue.
Classification
CVE ID: CVE-2025-27101
CVSS Base Severity: HIGH
CVSS Base Score: 7.3
CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P
Problem Types
CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')Affected Products
Vendor: obiba
Product: opal
Exploit Prediction Scoring System (EPSS)
EPSS Score: 0.05% (probability of being exploited)
EPSS Percentile: 12.25% (scored less or equal to compared to others)
EPSS Date: 2025-04-09 (when was this score calculated)
References
https://nvd.nist.gov/vuln/detail/CVE-2025-27101https://github.com/obiba/opal/security/advisories/GHSA-rxmx-gqjj-vhv8
https://github.com/obiba/opal/commit/fca7dc9c8348064741b2e8b2c31b66660a935743