CVE-2025-54380

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-54380

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-54380.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2025-54380

Aliases

GHSA-j63h-hmgw-x4j7

Related

Published

2025-07-26T04:16:06Z

Modified

2025-07-29T14:50:09.197976Z

Summary

[none]

Details

Opencast is a free, open-source platform to support the management of educational audio and video content. Prior to version 17.6, Opencast would incorrectly send the hashed global system account credentials (ie: org.opencastproject.security.digest.user and org.opencastproject.security.digest.pass) when attempting to fetch mediapackage elements included in a mediapackage XML file. A previous CVE prevented many cases where the credentials were inappropriately sent, but not all. Anyone with ingest permissions could cause Opencast to send its hashed global system account credentials to a url of their choosing. This issue is fixed in Opencast 17.6.

References

Affected packages

Git / github.com/opencast/opencast

Affected ranges

Type: GIT
Repo: https://github.com/opencast/opencast
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

e8980435342149375802648b9c9e696c9a5f0c9a

Affected versions

1.*

1.4.0

1.4.1

1.4.2

1.4.2-rc2

1.4.3

1.4.4

1.4.4-rc1

1.5.0

1.5.0-rc1

1.5.0-rc2

1.5.0-rc3

1.5.0-rc4

1.5.0-rc5

1.5.0-rc6

1.5.0-rc7

1.5.1

1.6.0

1.6.0-RC1

1.6.0-beta1

1.6.0-beta2

1.6.0-beta3

1.6.0-beta4

1.6.1-RC1

2.*

2.0.0-beta1

2.0.0-beta2