CVE-2025-54380
MEDIUM6.5EPSS 0.19%Opencast still publishes global system account credentials
Description
### Description Opencast prior to versions 17.6 would incorrectly send the hashed global system account credentials (ie: `org.opencastproject.security.digest.user` and `org.opencastproject.security.digest.pass`) when attempting to fetch mediapackage elements included in a mediapackage XML file. A [previous CVE](https://github.com/opencast/opencast/security/advisories/GHSA-hcxx-mp6g-6gr9) prevented many cases where the credentials were inappropriately sent, but not all. The remainder are addressed with this patch. ### Impact Anyone with ingest permissions could cause Opencast to send its hashed global system account credentials to a url of their choosing. ### Patches This issue is fixed in Opencast 17.6 If you have any questions or comments about this advisory: - Open an issue in our [issue tracker](https://github.com/opencast/opencast/issues) - Email us at [email protected]
Affected packages (4)
- Maven/org.opencastproject:opencast-commonfrom 0, < 17.6
- Maven/org.opencastproject:opencast-ingest-service-implfrom 0, < 17.6
- Maven/org.opencastproject:opencast-kernelfrom 0, < 17.6
- Maven/org.opencastproject:opencast-publication-service-oaipmh-remotefrom 0, < 17.6
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
References (6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-54380
- PATCHhttps://github.com/opencast/opencast
- WEBhttps://github.com/opencast/opencast/commit/2d3219113e2b9fadfb06443f5468b1c2157827a6
- WEBhttps://github.com/opencast/opencast/commit/e8980435342149375802648b9c9e696c9a5f0c9a
- WEBhttps://github.com/opencast/opencast/security/advisories/GHSA-hcxx-mp6g-6gr9
- WEBhttps://github.com/opencast/opencast/security/advisories/GHSA-j63h-hmgw-x4j7