{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-54380", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-07-21T16:12:20.733Z", "datePublished": "2025-07-26T03:28:25.194Z", "dateUpdated": "2025-07-28T19:00:02.211Z"}, "containers": {"cna": {"title": "Opencast still publishes global system account credentials", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-522", "lang": "en", "description": "CWE-522: Insufficiently Protected Credentials", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/opencast/opencast/security/advisories/GHSA-j63h-hmgw-x4j7", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/opencast/opencast/security/advisories/GHSA-j63h-hmgw-x4j7"}, {"name": "https://github.com/opencast/opencast/security/advisories/GHSA-hcxx-mp6g-6gr9", "tags": ["x_refsource_MISC"], "url": "https://github.com/opencast/opencast/security/advisories/GHSA-hcxx-mp6g-6gr9"}, {"name": "https://github.com/opencast/opencast/commit/e8980435342149375802648b9c9e696c9a5f0c9a", "tags": ["x_refsource_MISC"], "url": "https://github.com/opencast/opencast/commit/e8980435342149375802648b9c9e696c9a5f0c9a"}], "affected": [{"vendor": "opencast", "product": "opencast", "versions": [{"version": "< 17.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-07-26T03:28:25.194Z"}, "descriptions": [{"lang": "en", "value": "Opencast is a free, open-source platform to support the management of educational audio and video content. Prior to version 17.6, Opencast would incorrectly send the hashed global system account credentials (ie: org.opencastproject.security.digest.user and org.opencastproject.security.digest.pass) when attempting to fetch mediapackage elements included in a mediapackage XML file. A previous CVE prevented many cases where the credentials were inappropriately sent, but not all. Anyone with ingest permissions could cause Opencast to send its hashed global system account credentials to a url of their choosing. This issue is fixed in Opencast 17.6."}], "source": {"advisory": "GHSA-j63h-hmgw-x4j7", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-07-28T18:59:53.905632Z", "id": "CVE-2025-54380", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-28T19:00:02.211Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-54380", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-07-28T18:59:53.905632Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-28T18:59:57.559Z"}}], "cna": {"title": "Opencast still publishes global system account credentials", "source": {"advisory": "GHSA-j63h-hmgw-x4j7", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "opencast", "product": "opencast", "versions": [{"status": "affected", "version": "< 17.6"}]}], "references": [{"url": "https://github.com/opencast/opencast/security/advisories/GHSA-j63h-hmgw-x4j7", "name": "https://github.com/opencast/opencast/security/advisories/GHSA-j63h-hmgw-x4j7", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/opencast/opencast/security/advisories/GHSA-hcxx-mp6g-6gr9", "name": "https://github.com/opencast/opencast/security/advisories/GHSA-hcxx-mp6g-6gr9", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/opencast/opencast/commit/e8980435342149375802648b9c9e696c9a5f0c9a", "name": "https://github.com/opencast/opencast/commit/e8980435342149375802648b9c9e696c9a5f0c9a", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Opencast is a free, open-source platform to support the management of educational audio and video content. Prior to version 17.6, Opencast would incorrectly send the hashed global system account credentials (ie: org.opencastproject.security.digest.user and org.opencastproject.security.digest.pass) when attempting to fetch mediapackage elements included in a mediapackage XML file. A previous CVE prevented many cases where the credentials were inappropriately sent, but not all. Anyone with ingest permissions could cause Opencast to send its hashed global system account credentials to a url of their choosing. This issue is fixed in Opencast 17.6."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-522", "description": "CWE-522: Insufficiently Protected Credentials"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-07-26T03:28:25.194Z"}}}, "cveMetadata": {"cveId": "CVE-2025-54380", "state": "PUBLISHED", "dateUpdated": "2025-07-28T19:00:02.211Z", "dateReserved": "2025-07-21T16:12:20.733Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-07-26T03:28:25.194Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apereo:opencast:*:*:*:*:*:*:*:*", "matchCriteriaId": "DF96B75C-FF1A-4F47-9EA0-530F7AA8825F", "versionEndExcluding": "17.6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Opencast is a free, open-source platform to support the management of educational audio and video content. Prior to version 17.6, Opencast would incorrectly send the hashed global system account credentials (ie: org.opencastproject.security.digest.user and org.opencastproject.security.digest.pass) when attempting to fetch mediapackage elements included in a mediapackage XML file. A previous CVE prevented many cases where the credentials were inappropriately sent, but not all. Anyone with ingest permissions could cause Opencast to send its hashed global system account credentials to a url of their choosing. This issue is fixed in Opencast 17.6."}, {"lang": "es", "value": "Opencast es una plataforma gratuita de c\u00f3digo abierto que facilita la gesti\u00f3n de contenido educativo de audio y v\u00eddeo. Antes de la versi\u00f3n 17.6, Opencast enviaba incorrectamente las credenciales de la cuenta global del sistema con hash (es decir, org.opencastproject.security.digest.user y org.opencastproject.security.digest.pass) al intentar obtener elementos de mediapackage incluidos en un archivo XML de mediapackage. Una CVE anterior evit\u00f3 muchos casos de env\u00edo indebido de credenciales, pero no todos. Cualquier persona con permisos de ingesta pod\u00eda hacer que Opencast enviara sus credenciales de la cuenta global del sistema con hash a una URL de su elecci\u00f3n. Este problema se solucion\u00f3 en Opencast 17.6."}], "id": "CVE-2025-54380", "lastModified": "2025-08-26T16:57:00.143", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2025-07-26T04:16:06.190", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/opencast/opencast/commit/e8980435342149375802648b9c9e696c9a5f0c9a"}, {"source": "security-advisories@github.com", "tags": ["Not Applicable"], "url": "https://github.com/opencast/opencast/security/advisories/GHSA-hcxx-mp6g-6gr9"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/opencast/opencast/security/advisories/GHSA-j63h-hmgw-x4j7"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-522"}], "source": "security-advisories@github.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-522"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"created": "2025-07-28T12:45:46.174705+00:00", "updated": "2025-07-28T12:45:46.174772+00:00", "vendors": ["opencast", "opencast$PRODUCT$opencast"]}