Headline

GHSA-j63h-hmgw-x4j7: Opencast still publishes global system account credentials

Description

Opencast prior to versions 17.6 would incorrectly send the hashed global system account credentials (ie: org.opencastproject.security.digest.user and org.opencastproject.security.digest.pass) when attempting to fetch mediapackage elements included in a mediapackage XML file. A previous CVE prevented many cases where the credentials were inappropriately sent, but not all. The remainder are addressed with this patch.

Impact

Anyone with ingest permissions could cause Opencast to send its hashed global system account credentials to a url of their choosing.

Patches

This issue is fixed in Opencast 17.6

If you have any questions or comments about this advisory:

Open an issue in our issue tracker
Email us at security@opencast.org

16 hours ago

ghsa

Open in Source

#git #java #maven

GitHub Advisory Database
GitHub Reviewed
CVE-2025-54380

Opencast still publishes global system account credentials

Moderate severity GitHub Reviewed Published Jul 25, 2025 in opencast/opencast

Package

maven org.opencastproject:opencast-common (Maven)

maven org.opencastproject:opencast-ingest-service-impl (Maven)

maven org.opencastproject:opencast-kernel (Maven)

maven org.opencastproject:opencast-publication-service-oaipmh-remote (Maven)

Description

Opencast prior to versions 17.6 would incorrectly send the hashed global system account credentials (ie: org.opencastproject.security.digest.user and org.opencastproject.security.digest.pass) when attempting to fetch mediapackage elements included in a mediapackage XML file. A previous CVE prevented many cases where the credentials were inappropriately sent, but not all. The remainder are addressed with this patch.

Impact

Anyone with ingest permissions could cause Opencast to send its hashed global system account credentials to a url of their choosing.

Patches

This issue is fixed in Opencast 17.6

If you have any questions or comments about this advisory: