CVE-2025-54380
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-54380
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-54380.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2025-54380
- Aliases
- Related
- Published
- 2025-07-26T04:16:06Z
- Modified
- 2025-09-19T15:29:50.014858Z
- Summary
- [none]
- Details
-
Opencast is a free, open-source platform to support the management of educational audio and video content. Prior to version 17.6, Opencast would incorrectly send the hashed global system account credentials (ie: org.opencastproject.security.digest.user and org.opencastproject.security.digest.pass) when attempting to fetch mediapackage elements included in a mediapackage XML file. A previous CVE prevented many cases where the credentials were inappropriately sent, but not all. Anyone with ingest permissions could cause Opencast to send its hashed global system account credentials to a url of their choosing. This issue is fixed in Opencast 17.6.
- References
Affected packages
Git / github.com/opencast/opencast
Affected ranges
- Type
- GIT
- Repo
- https://github.com/opencast/opencast
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
1.*
1.4.0
1.4.1
1.4.2
1.4.2-rc2
1.4.3
1.4.4
1.4.4-rc1
1.5.0
1.5.0-rc1
1.5.0-rc2
1.5.0-rc3
1.5.0-rc4
1.5.0-rc5
1.5.0-rc6
1.5.0-rc7
1.5.1
1.6.0
1.6.0-RC1
1.6.0-beta1
1.6.0-beta2
1.6.0-beta3
1.6.0-beta4
1.6.1-RC1
2.*
2.0.0-beta1
2.0.0-beta2
Database specific
{
"vanir_signatures": [
{
"id": "CVE-2025-54380-0e7d5003",
"source": "https://github.com/opencast/opencast/commit/e8980435342149375802648b9c9e696c9a5f0c9a",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Function",
"digest": {
"length": 1905.0,
"function_hash": "33267684451523519168981670217664797022"
},
"target": {
"file": "modules/kernel/src/test/java/org/opencastproject/kernel/security/TrustedHttpClientImplTest.java",
"function": "successIfNonceReturnOnceAndThreeRetries"
}
},
{
"id": "CVE-2025-54380-1245b363",
"source": "https://github.com/opencast/opencast/commit/e8980435342149375802648b9c9e696c9a5f0c9a",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"241314820852586371973860256091170956652",
"166835917085810462864689765334951766062",
"84341754773775827723574197876631611797",
"254935323404549347643228747267597757720",
"226304915611312802957857380467697512815",
"216652139644961002553506013979800203447",
"305308755081255567098959341709884623458",
"195850121392123977483291809673581546930",
"207592370479612828679026381312176469253",
"224278271293782279894604477213429251778",
"118201962389841228039933789608325273000",
"164994822807188648340030796471256645690",
"307349730119945149912482504966433771647",
"74151341878985021643871001858910206620",
"79675876901777055428646744861562717329",
"19909594380487682828274305847086205951",
"187760574193809034716475236549422224129",
"106705177129922773608495635823487803247",
"156946984380247373484713601795759511894",
"326032478603413331869838475584216775899",
"185136575934732483256503827480479530447",
"276461672264291049825802043982707023700",
"244590353391978410905257060466294847599",
"40326791783212431481617142909707094684"
]
},
"target": {
"file": "modules/publication-service-oaipmh-remote/src/test/java/org/opencastproject/publication/oaipmh/endpoint/OaiPmhPublicationRestServiceTest.java"
}
},
{
"id": "CVE-2025-54380-17fd8626",
"source": "https://github.com/opencast/opencast/commit/e8980435342149375802648b9c9e696c9a5f0c9a",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Function",
"digest": {
"length": 1510.0,
"function_hash": "35327054906313953906390749471751906076"
},
"target": {
"file": "modules/kernel/src/test/java/org/opencastproject/kernel/security/TrustedHttpClientImplTest.java",
"function": "failsIfNonceReturnAndNoRetries"
}
},
{
"id": "CVE-2025-54380-2b45a120",
"source": "https://github.com/opencast/opencast/commit/e8980435342149375802648b9c9e696c9a5f0c9a",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Function",
"digest": {
"length": 1048.0,
"function_hash": "246466050162204215823956829764277579592"
},
"target": {
"file": "modules/kernel/src/test/java/org/opencastproject/kernel/security/TrustedHttpClientImplTest.java",
"function": "testAlreadySignedUrlIgnoredByUrlSigningService"
}
},
{
"id": "CVE-2025-54380-373cca71",
"source": "https://github.com/opencast/opencast/commit/e8980435342149375802648b9c9e696c9a5f0c9a",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Function",
"digest": {
"length": 1817.0,
"function_hash": "332535367413398826704433613195518319178"
},
"target": {
"file": "modules/kernel/src/test/java/org/opencastproject/kernel/security/TrustedHttpClientImplTest.java",
"function": "failsIfNonceReturnAndOneRetries"
}
},
{
"id": "CVE-2025-54380-3a90b783",
"source": "https://github.com/opencast/opencast/commit/e8980435342149375802648b9c9e696c9a5f0c9a",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"62853924680478446159512250956755834534",
"212498436794089635277280263894034075580",
"45449254534959887544970460076422187740",
"333508154909164314724594566630503716848",
"165340057855826112429116493152662900462",
"309173365149056443855739449894514519148",
"221731511312725866880268310364518942710",
"171561296860503913402798489054191509818",
"120127400412233356017687083612700040267",
"124925250649540629428239727413252178533",
"21056351122359748632302219231782273926",
"86554439784893193168241192445385875725",
"173815272040953381375212373199998445260",
"239122182352963169916057500333913013450",
"48866649346369609105571618487558722920",
"278848962628741774346513266894144631777",
"146931198876648867522095901672272532553",
"130746784897628358417569732540616594879"
]
},
"target": {
"file": "modules/ingest-service-impl/src/main/java/org/opencastproject/ingest/impl/IngestServiceImpl.java"
}
},
{
"id": "CVE-2025-54380-4076c80e",
"source": "https://github.com/opencast/opencast/commit/e8980435342149375802648b9c9e696c9a5f0c9a",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"139929727364189660645598622320273764683",
"80665507254565497131858817892229718718",
"24856174107218680915596656726162262546",
"238256096574521199459169673708763344029",
"120711036125850212379263827616949688281",
"36133072287773920168812941079491007089",
"52691486853689323440223810520766860504",
"221764031607481603343011679903230286409",
"16260103176440761194861613382055588763",
"147928285375526655757869357804395628905",
"181056889681698523784777997674231738429",
"225751210888000918874882716226988612162",
"144779402057830502426733911980513030808",
"82770989694043602042080174064270520977",
"299329680825551856429578464896831432195",
"96786869133103175636421371521740956913"
]
},
"target": {
"file": "modules/kernel/src/test/java/org/opencastproject/kernel/security/TrustedHttpClientResourceClosingTest.java"
}
},
{
"id": "CVE-2025-54380-4401aa5a",
"source": "https://github.com/opencast/opencast/commit/e8980435342149375802648b9c9e696c9a5f0c9a",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Function",
"digest": {
"length": 1445.0,
"function_hash": "186753830489724995906322020470587152265"
},
"target": {
"file": "modules/ingest-service-impl/src/test/java/org/opencastproject/ingest/impl/IngestServiceImplTest.java",
"function": "testAuthWhitelist"
}
},
{
"id": "CVE-2025-54380-47ae5efc",
"source": "https://github.com/opencast/opencast/commit/e8980435342149375802648b9c9e696c9a5f0c9a",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Function",
"digest": {
"length": 1905.0,
"function_hash": "38599007320804146980337810970472216407"
},
"target": {
"file": "modules/kernel/src/test/java/org/opencastproject/kernel/security/TrustedHttpClientImplTest.java",
"function": "successIfNonceReturnOnceAndOneRetries"
}
},
{
"id": "CVE-2025-54380-4a58a51d",
"source": "https://github.com/opencast/opencast/commit/e8980435342149375802648b9c9e696c9a5f0c9a",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Function",
"digest": {
"length": 518.0,
"function_hash": "209342298294151028339743882661625040732"
},
"target": {
"file": "modules/kernel/src/test/java/org/opencastproject/kernel/security/TrustedHttpClientResourceClosingTest.java",
"function": "TestHttpClient"
}
},
{
"id": "CVE-2025-54380-4b44e4f4",
"source": "https://github.com/opencast/opencast/commit/e8980435342149375802648b9c9e696c9a5f0c9a",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"102511521462618348277522793996096303354",
"44461138069652830568744711938305186153",
"291742641338325639225093832276597013665",
"199722346418308506504331096739960952223",
"295275135126020002760384739671130454242",
"102595248028596618927039952849807341121",
"207769228645828726042173503110531777974",
"176328470432058069727552199849735682613",
"13978070695406741450192232347261566074",
"56432041304412741737877278377962574890",
"167845684749844996238087938472738089993",
"39743254153625599447632811077728043235",
"262439260363951010319304412481643588646",
"8164392212159155582686295742624205198",
"255610854911144783924147356282936680517",
"294558678246900157818432387295592163418",
"148654552035926144894733680062454555137",
"329543716502434468240888966289408257432",
"119721248799095531459287297363076111532",
"12987917386172983544914044972813370044",
"251731801961450769278787289065724607414",
"26571772137910937911518789346604306643",
"222955007660286520260474735580582005904",
"312519977588143511282434974891690897945",
"46926422284383867153264197361807482758",
"202556210771908846155190099231057573435",
"25266889953155796472518899046942945711",
"286217635842130520377782106927735951247",
"151503308572758960412089418219124082711",
"42838239996952572119069811659730564839",
"313462415950908360587964457859119258250",
"287105943685341772204519697554317778465",
"205944684372940977423405489809266456381",
"216213160065673571004441789024555016317",
"217077008830904983005867585812491904911",
"109298593661214268240105011296072412870",
"64414676297389664669276527278473270593",
"159066012108114691395307694993354509571",
"27734561954821732731691456997013251208",
"46405031956459882925652667657919616931",
"258549428343781278465862090191403903944",
"281223119227634821178409053103027821195",
"27734561954821732731691456997013251208",
"46405031956459882925652667657919616931",
"258549428343781278465862090191403903944",
"281223119227634821178409053103027821195",
"27734561954821732731691456997013251208",
"46405031956459882925652667657919616931",
"258549428343781278465862090191403903944",
"281223119227634821178409053103027821195",
"27734561954821732731691456997013251208",
"46405031956459882925652667657919616931",
"258549428343781278465862090191403903944",
"281223119227634821178409053103027821195",
"27734561954821732731691456997013251208",
"46405031956459882925652667657919616931",
"258549428343781278465862090191403903944",
"281223119227634821178409053103027821195",
"92216788545371155491659923121718084921",
"253242329225367809244390383390358334671",
"112159126509908981022595974433735489832",
"4734578067687501308471769734520160729",
"92216788545371155491659923121718084921",
"253242329225367809244390383390358334671",
"27111501868616276394555551034478509857",
"34429766287624854679862973032256049941",
"45122987692156319103110045987593547216",
"68632547427662045276524696888640872831"
]
},
"target": {
"file": "modules/kernel/src/test/java/org/opencastproject/kernel/security/TrustedHttpClientImplTest.java"
}
},
{
"id": "CVE-2025-54380-74510af8",
"source": "https://github.com/opencast/opencast/commit/e8980435342149375802648b9c9e696c9a5f0c9a",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"182832900734385938433547045052634718786",
"147141659767052536004341684136544354202",
"113820526410459674244526345927307290631",
"164884492974283093459224349574241509622",
"171207274926417845787167266683134603557",
"20226080940954515456512049186275340479",
"243865780618817857318065807691084543899",
"164395018604047102296411006796887429921",
"311890198828296624656199722029602375751",
"135708800359994165028809023213016798868",
"311829084415388408587085281158871439060",
"1858248403514918301402293610784568977",
"124599403175667715117217063828037711315",
"233550040150733655005484968727372173943",
"132694437942578909817374598602384721574",
"191684910194370000397670091512816982674",
"49474592186876061281835414024860132905",
"320940503300428302124991996512628548249",
"230061619633125621865054274216014090727",
"227219284360180582381825125367655938202",
"338237109525430365707292448195762379290",
"320235485463365647232094938128875286504",
"226700647926303469945449032842403701501",
"157054545078588032521180247642943628211",
"333409596443494409377198868246809811292",
"50484947851922266502528911365764411390",
"36880939568376661005353048504766597317",
"192801949569054199425272709986164553175",
"231579186339847065086111530179839179099",
"312197895070450966043996581343784479675",
"225268567417202805657398319872337225555",
"340060336975642398492124118745111466388",
"100622316530835126565779785032585998375",
"225785412042434331576336136293998643679",
"297091246006664757341755099937161986319",
"200496566951935573505581571895238272724",
"276354407622619483141098001580935644210",
"282875209911318069366006751915328950746",
"188428686897734174238322002926386554441",
"239209437483939318502511664885584157162",
"112128343868417060919358629684849462487",
"271270159427905793847002861371460018136",
"274425656512906515145490058934275361754",
"236022190482462348908710553327139259310",
"153186924133170875222555352162559930118",
"96814705437469773129088163090413304445",
"172248501903438797714119953289383921646",
"317320091306097869583264254357184394924",
"317690968589340100955370304399088961223",
"236351005836834872375379261865309840128",
"248503236668884670907608037604300951322",
"104856635530204288933604930242040136483",
"214024901227600905062831207706312320537",
"75746123033885387501731635340041053117",
"152569930856497388743726040776007991854",
"264512191045495902781453204317869887427",
"316613845512462170448111584946028863003"
]
},
"target": {
"file": "modules/ingest-service-impl/src/test/java/org/opencastproject/ingest/impl/IngestServiceImplTest.java"
}
},
{
"id": "CVE-2025-54380-789f2c3a",
"source": "https://github.com/opencast/opencast/commit/e8980435342149375802648b9c9e696c9a5f0c9a",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"337794712550236084964674712372975785659",
"120044259221704369469136050580691904780",
"183406063022796627931164884454698922923",
"333833871368118624589245122321311413948",
"143047571663135946294838387903737139359",
"262878811816557168075047299941988044399",
"314875400502749715796817284245435081541",
"217885182282270484859237563929094800390",
"69763297666177774327456288085221094651",
"207979451386141151128033609465634575192",
"281803190470332531070895948528689236474",
"301082430142331561332128645805434533134",
"182533361252460300940587231731948858755",
"224321254132389833716575650554261687518",
"79121172575245325854063663761484453809",
"329137452269167683909650480418772141126",
"318816731705378597856968369976948860528",
"217706122339383406774298165167196842041",
"211792722328853743588333195881831877617",
"163068358291310707681663075593340844178",
"134779788524992827892193387563987775453",
"153597845457558171191490958742241825810",
"2734343390807676751796770363196850705",
"194514266655755109631601029831577797233",
"231487874941334603182290024440515508514",
"188631898012180793544340784697253510759",
"304274256358306976070210096873207951932",
"193059236564378819138528592937435117835",
"117249893682627495231304050393518795307",
"333014049576664004738467658961255223419",
"106846725685638000790825470561382039754",
"194348482078561695627996515663131081334",
"135445913333228361614408715551276901487",
"2404789293739875213121625126240881020",
"272544848730240121256702932969350228896",
"219937259894927396114130430874066262393",
"43712682593296314972157998313228468385",
"312653894484065553323797956857529413651",
"305917904914296323552723155553493469419",
"214849027797930925514402074301161050467",
"77577131512991489930927219412160997404",
"123742435526955190901229725164284448153",
"164300994887793608146894815642371655861",
"24590814149393683230028927595167663585",
"265968816373203808337747713294253589117",
"243404376711411459993012851106778911207",
"81626756953312304466251620156279256791",
"75098414149827016278542279100913963135",
"173356078811685309185812497663461449667",
"18916167793503708079397424237185369836",
"280694159736079988108190221734434861217",
"259896072677452932335031749042727920831",
"127817421023260789678533417229310442367",
"171000664317697908525965513566192760054",
"233662360806948095055703989282522784875",
"108170245816578215837650999969576162118",
"50266895177432932602818597245032266222",
"198506459912999751043133994466948165645",
"329034903738547421318547207089034146263",
"331407880608659174536234719192450575095",
"47310464851542284296191212260990355382",
"285311369832991433881579030231734928329",
"312961523498526352829485987791160212218"
]
},
"target": {
"file": "modules/kernel/src/main/java/org/opencastproject/kernel/security/TrustedHttpClientImpl.java"
}
},
{
"id": "CVE-2025-54380-7a92fbdf",
"source": "https://github.com/opencast/opencast/commit/e8980435342149375802648b9c9e696c9a5f0c9a",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Function",
"digest": {
"length": 97.0,
"function_hash": "17512595869634614251497588148280153031"
},
"target": {
"file": "modules/publication-service-oaipmh-remote/src/test/java/org/opencastproject/publication/oaipmh/endpoint/OaiPmhPublicationRestServiceTest.java",
"function": "TestHttpClient"
}
},
{
"id": "CVE-2025-54380-95df433b",
"source": "https://github.com/opencast/opencast/commit/e8980435342149375802648b9c9e696c9a5f0c9a",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Function",
"digest": {
"length": 2267.0,
"function_hash": "157282202220083150033452617589417877025"
},
"target": {
"file": "modules/kernel/src/test/java/org/opencastproject/kernel/security/TrustedHttpClientImplTest.java",
"function": "successIfNonceReturnThreeAndThreeRetries"
}
},
{
"id": "CVE-2025-54380-96e01a2b",
"source": "https://github.com/opencast/opencast/commit/e8980435342149375802648b9c9e696c9a5f0c9a",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Function",
"digest": {
"length": 1519.0,
"function_hash": "263530381250103374385191327959797185836"
},
"target": {
"file": "modules/kernel/src/test/java/org/opencastproject/kernel/security/TrustedHttpClientImplTest.java",
"function": "testNotAcceptsUrlSigningService"
}
},
{
"id": "CVE-2025-54380-a6758e14",
"source": "https://github.com/opencast/opencast/commit/e8980435342149375802648b9c9e696c9a5f0c9a",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Function",
"digest": {
"length": 1959.0,
"function_hash": "179077869043678750793961752348309828578"
},
"target": {
"file": "modules/ingest-service-impl/src/main/java/org/opencastproject/ingest/impl/IngestServiceImpl.java",
"function": "addContentToRepo"
}
},
{
"id": "CVE-2025-54380-a86c46f9",
"source": "https://github.com/opencast/opencast/commit/e8980435342149375802648b9c9e696c9a5f0c9a",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Function",
"digest": {
"length": 42.0,
"function_hash": "53716279723641025875630936838275677388"
},
"target": {
"file": "modules/ingest-service-impl/src/test/java/org/opencastproject/ingest/impl/IngestServiceImplTest.java",
"function": "getAuthedHttpClient"
}
},
{
"id": "CVE-2025-54380-b0a3325c",
"source": "https://github.com/opencast/opencast/commit/e8980435342149375802648b9c9e696c9a5f0c9a",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Function",
"digest": {
"length": 44.0,
"function_hash": "51046901201335586286938598455731240663"
},
"target": {
"file": "modules/ingest-service-impl/src/test/java/org/opencastproject/ingest/impl/IngestServiceImplTest.java",
"function": "getNoAuthHttpClient"
}
},
{
"id": "CVE-2025-54380-b3b18f2a",
"source": "https://github.com/opencast/opencast/commit/e8980435342149375802648b9c9e696c9a5f0c9a",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Function",
"digest": {
"length": 9862.0,
"function_hash": "173395889265427395179825450869826179542"
},
"target": {
"file": "modules/ingest-service-impl/src/test/java/org/opencastproject/ingest/impl/IngestServiceImplTest.java",
"function": "setupService"
}
},
{
"id": "CVE-2025-54380-e4a71f5d",
"source": "https://github.com/opencast/opencast/commit/e8980435342149375802648b9c9e696c9a5f0c9a",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Function",
"digest": {
"length": 879.0,
"function_hash": "127315651025959183357179387182240244804"
},
"target": {
"file": "modules/publication-service-oaipmh-remote/src/test/java/org/opencastproject/publication/oaipmh/endpoint/OaiPmhPublicationRestServiceTest.java",
"function": "testPublishUsingRemoteService"
}
},
{
"id": "CVE-2025-54380-f8f65436",
"source": "https://github.com/opencast/opencast/commit/e8980435342149375802648b9c9e696c9a5f0c9a",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Function",
"digest": {
"length": 1895.0,
"function_hash": "86917774834662457570012396680285464612"
},
"target": {
"file": "modules/kernel/src/main/java/org/opencastproject/kernel/security/TrustedHttpClientImpl.java",
"function": "execute"
}
},
{
"id": "CVE-2025-54380-fb97a4b0",
"source": "https://github.com/opencast/opencast/commit/e8980435342149375802648b9c9e696c9a5f0c9a",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Function",
"digest": {
"length": 3003.0,
"function_hash": "149858293227137255729840515906608981598"
},
"target": {
"file": "modules/kernel/src/test/java/org/opencastproject/kernel/security/TrustedHttpClientImplTest.java",
"function": "setUp"
}
},
{
"id": "CVE-2025-54380-fc0223fc",
"source": "https://github.com/opencast/opencast/commit/e8980435342149375802648b9c9e696c9a5f0c9a",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Function",
"digest": {
"length": 79.0,
"function_hash": "278527263318738230722666968511293911390"
},
"target": {
"file": "modules/ingest-service-impl/src/main/java/org/opencastproject/ingest/impl/IngestServiceImpl.java",
"function": "getNoAuthHttpClient"
}
}
]
}