GHSA-j63h-hmgw-x4j7
Suggest an improvement- Source
- https://github.com/advisories/GHSA-j63h-hmgw-x4j7
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-j63h-hmgw-x4j7/GHSA-j63h-hmgw-x4j7.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-j63h-hmgw-x4j7
- Aliases
- Related
- Published
- 2025-07-25T20:13:45Z
- Modified
- 2025-07-28T13:30:35.301552Z
- Severity
-
- 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- Opencast still publishes global system account credentials
- Details
-
Description
Opencast prior to versions 17.6 would incorrectly send the hashed global system account credentials (ie:
org.opencastproject.security.digest.userandorg.opencastproject.security.digest.pass) when attempting to fetch mediapackage elements included in a mediapackage XML file. A previous CVE prevented many cases where the credentials were inappropriately sent, but not all. The remainder are addressed with this patch.Impact
Anyone with ingest permissions could cause Opencast to send its hashed global system account credentials to a url of their choosing.
Patches
This issue is fixed in Opencast 17.6
If you have any questions or comments about this advisory: - Open an issue in our issue tracker - Email us at security@opencast.org
- Database specific
{ "github_reviewed": true, "severity": "MODERATE", "github_reviewed_at": "2025-07-25T20:13:45Z", "cwe_ids": [ "CWE-200" ], "nvd_published_at": "2025-07-26T04:16:06Z" }- References
-
- https://github.com/opencast/opencast/security/advisories/GHSA-hcxx-mp6g-6gr9
- https://github.com/opencast/opencast/security/advisories/GHSA-j63h-hmgw-x4j7
- https://nvd.nist.gov/vuln/detail/CVE-2025-54380
- https://github.com/opencast/opencast/commit/2d3219113e2b9fadfb06443f5468b1c2157827a6
- https://github.com/opencast/opencast/commit/e8980435342149375802648b9c9e696c9a5f0c9a
- https://github.com/opencast/opencast
Affected packages
Maven / org.opencastproject:opencast-common
Package
- Name
- org.opencastproject:opencast-common
- View open source insights on deps.dev
- Purl
- pkg:maven/org.opencastproject/opencast-common
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed17.6
Affected versions
6.*
6.6
7.*
7.2
7.3
7.4
7.5
7.6
7.7
7.8
7.9
8.*
8.0
8.1
8.3
8.4
8.5
8.6
8.7
8.8
8.9
8.10
8.11
9.*
9.0
9.1
9.2
9.3
9.4
9.5
9.6
9.7
9.9
9.10
9.11
9.12
10.*
10.0
10.1
10.2
10.3
10.4
10.5
10.6
10.7
10.8
10.9
10.10
10.11
10.12
11.*
11.0
11.1
11.2
11.3
11.4
11.5
11.6
11.7
11.8
11.9
11.10
11.11
12.*
12.0
12.1
12.2
12.3
12.5
12.6
12.7
12.8
12.9
12.11
12.12
12.13
13.*
13.0
13.1
13.2
13.4
13.6
13.7
13.8
13.10
13.11
13.12
14.*
14.0
14.1
14.2
14.3
14.5
14.6
14.7
14.8
14.9
14.10
14.11
14.12
14.13
15.*
15.0
15.1
15.2
15.3
15.4
15.5
15.6
15.7
15.8
15.9
15.10
15.11
15.12
15.13
16.*
16.0
16.1
16.2
16.3
16.4
16.5
16.6
16.7
16.8
16.9
16.10
Maven / org.opencastproject:opencast-ingest-service-impl
Package
- Name
- org.opencastproject:opencast-ingest-service-impl
- View open source insights on deps.dev
- Purl
- pkg:maven/org.opencastproject/opencast-ingest-service-impl
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed17.6
Affected versions
6.*
6.6
7.*
7.2
7.3
7.4
7.5
7.6
7.7
7.8
7.9
8.*
8.0
8.1
8.3
8.4
8.5
8.6
8.7
8.8
8.9
8.10
8.11
9.*
9.0
9.1
9.2
9.3
9.4
9.5
9.6
9.7
9.9
9.10
9.11
9.12
10.*
10.0
10.1
10.2
10.3
10.4
10.5
10.6
10.7
10.8
10.9
10.10
10.11
10.12
11.*
11.0
11.1
11.2
11.3
11.4
11.5
11.6
11.7
11.8
11.9
11.10
11.11
12.*
12.0
12.1
12.2
12.3
12.5
12.6
12.7
12.8
12.9
12.11
12.12
12.13
13.*
13.0
13.1
13.2
13.4
13.6
13.7
13.8
13.10
13.11
13.12
14.*
14.0
14.1
14.2
14.3
14.5
14.6
14.7
14.8
14.9
14.10
14.11
14.12
14.13
15.*
15.0
15.1
15.2
15.3
15.4
15.5
15.6
15.7
15.8
15.9
15.10
15.11
15.12
15.13
16.*
16.0
16.1
16.2
16.3
16.4
16.5
16.6
16.7
16.8
16.9
16.10
Maven / org.opencastproject:opencast-kernel
Package
- Name
- org.opencastproject:opencast-kernel
- View open source insights on deps.dev
- Purl
- pkg:maven/org.opencastproject/opencast-kernel
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed17.6
Affected versions
6.*
6.6
7.*
7.2
7.3
7.4
7.5
7.6
7.7
7.8
7.9
8.*
8.0
8.1
8.3
8.4
8.5
8.6
8.7
8.8
8.9
8.10
8.11
9.*
9.0
9.1
9.2
9.3
9.4
9.5
9.6
9.7
9.9
9.10
9.11
9.12
10.*
10.0
10.1
10.2
10.3
10.4
10.5
10.6
10.7
10.8
10.9
10.10
10.11
10.12
11.*
11.0
11.1
11.2
11.3
11.4
11.5
11.6
11.7
11.8
11.9
11.10
11.11
12.*
12.0
12.1
12.2
12.3
12.5
12.6
12.7
12.8
12.9
12.11
12.12
12.13
13.*
13.0
13.1
13.2
13.4
13.6
13.7
13.8
13.10
13.11
13.12
14.*
14.0
14.1
14.2
14.3
14.5
14.6
14.7
14.8
14.9
14.10
14.11
14.12
14.13
15.*
15.0
15.1
15.2
15.3
15.4
15.5
15.6
15.7
15.8
15.9
15.10
15.11
15.12
15.13
16.*
16.0
16.1
16.2
16.3
16.4
16.5
16.6
16.7
16.8
16.9
16.10
Maven / org.opencastproject:opencast-publication-service-oaipmh-remote
Package
- Name
- org.opencastproject:opencast-publication-service-oaipmh-remote
- View open source insights on deps.dev
- Purl
- pkg:maven/org.opencastproject/opencast-publication-service-oaipmh-remote
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed17.6
Affected versions
6.*
6.6
7.*
7.2
7.3
7.4
7.5
7.6
7.7
7.8
7.9
8.*
8.0
8.1
8.3
8.4
8.5
8.6
8.7
8.8
8.9
8.10
8.11
9.*
9.0
9.1
9.2
9.3
9.4
9.5
9.6
9.9
9.10
9.11
9.12
10.*
10.0
10.1
10.2
10.3
10.4
10.5
10.6
10.7
10.8
10.9
10.10
10.11
10.12
11.*
11.0
11.1
11.2
11.3
11.4
11.5
11.6
11.7
11.8
11.9
11.10
11.11
12.*
12.0
12.1
12.2
12.3
12.5
12.6
12.7
12.8
12.9
12.11
12.12
12.13
13.*
13.0
13.1
13.2
13.4
13.6
13.7
13.8
13.10
13.11
13.12
14.*
14.0
14.1
14.2
14.3
14.5
14.6
14.7
14.8
14.9
14.10
14.11
14.12
14.13
15.*
15.0
15.1
15.2
15.3
15.4
15.5
15.6
15.7
15.8
15.9
15.10
15.11
15.12
15.13
16.*
16.0
16.1
16.2
16.3
16.4
16.5
16.6
16.7
16.8
16.9
16.10