ghsa-j63h-hmgw-x4j7
Vulnerability from github
Published
2025-07-25 20:13
Modified
2025-07-28 13:04
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
Opencast still publishes global system account credentials
Details

Description

Opencast prior to versions 17.6 would incorrectly send the hashed global system account credentials (ie: org.opencastproject.security.digest.user and org.opencastproject.security.digest.pass) when attempting to fetch mediapackage elements included in a mediapackage XML file. A previous CVE prevented many cases where the credentials were inappropriately sent, but not all. The remainder are addressed with this patch.

Impact

Anyone with ingest permissions could cause Opencast to send its hashed global system account credentials to a url of their choosing.

Patches

This issue is fixed in Opencast 17.6

If you have any questions or comments about this advisory: - Open an issue in our issue tracker - Email us at security@opencast.org

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.opencastproject:opencast-common"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "17.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.opencastproject:opencast-ingest-service-impl"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "17.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.opencastproject:opencast-kernel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "17.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.opencastproject:opencast-publication-service-oaipmh-remote"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "17.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-54380"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-07-25T20:13:45Z",
    "nvd_published_at": "2025-07-26T04:16:06Z",
    "severity": "MODERATE"
  },
  "details": "### Description\nOpencast prior to versions 17.6 would incorrectly send the hashed global system account credentials (ie: `org.opencastproject.security.digest.user` and `org.opencastproject.security.digest.pass`) when attempting to fetch mediapackage elements included in a mediapackage XML file.  A [previous CVE](https://github.com/opencast/opencast/security/advisories/GHSA-hcxx-mp6g-6gr9) prevented many cases where the credentials were inappropriately sent, but not all.  The remainder are addressed with this patch.\n\n### Impact\nAnyone with ingest permissions could cause Opencast to send its hashed global system account credentials to a url of their choosing.\n\n### Patches\nThis issue is fixed in Opencast 17.6\n\nIf you have any questions or comments about this advisory:\n- Open an issue in our [issue tracker](https://github.com/opencast/opencast/issues)\n- Email us at security@opencast.org",
  "id": "GHSA-j63h-hmgw-x4j7",
  "modified": "2025-07-28T13:04:42Z",
  "published": "2025-07-25T20:13:45Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/opencast/opencast/security/advisories/GHSA-hcxx-mp6g-6gr9"
    },
    {
      "type": "WEB",
      "url": "https://github.com/opencast/opencast/security/advisories/GHSA-j63h-hmgw-x4j7"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54380"
    },
    {
      "type": "WEB",
      "url": "https://github.com/opencast/opencast/commit/2d3219113e2b9fadfb06443f5468b1c2157827a6"
    },
    {
      "type": "WEB",
      "url": "https://github.com/opencast/opencast/commit/e8980435342149375802648b9c9e696c9a5f0c9a"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/opencast/opencast"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Opencast still publishes global system account credentials "
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.