Opencast is a free, open-source platform to support the management of educational audio and video content. Prior to version 17.6, Opencast would incorrectly send the hashed global system account credentials (ie: org.opencastproject.security.digest.user and org.opencastproject.security.digest.pass) when attempting to fetch mediapackage elements included in a mediapackage XML file. A previous CVE prevented many cases where the credentials were inappropriately sent, but not all. Anyone with ingest permissions could cause Opencast to send its hashed global system account credentials to a url of their choosing. This issue is fixed in Opencast 17.6.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Tue, 26 Aug 2025 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Apereo
Apereo opencast
CPEs cpe:2.3:a:apereo:opencast:*:*:*:*:*:*:*:*
Vendors & Products Apereo
Apereo opencast

Mon, 28 Jul 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 28 Jul 2025 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Opencast
Opencast opencast
Vendors & Products Opencast
Opencast opencast

Sat, 26 Jul 2025 03:45:00 +0000

Type Values Removed Values Added
Description Opencast is a free, open-source platform to support the management of educational audio and video content. Prior to version 17.6, Opencast would incorrectly send the hashed global system account credentials (ie: org.opencastproject.security.digest.user and org.opencastproject.security.digest.pass) when attempting to fetch mediapackage elements included in a mediapackage XML file. A previous CVE prevented many cases where the credentials were inappropriately sent, but not all. Anyone with ingest permissions could cause Opencast to send its hashed global system account credentials to a url of their choosing. This issue is fixed in Opencast 17.6.
Title Opencast still publishes global system account credentials
Weaknesses CWE-200
CWE-522
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2025-07-28T19:00:02.211Z

Reserved: 2025-07-21T16:12:20.733Z

Link: CVE-2025-54380

cve-icon Vulnrichment

Updated: 2025-07-28T18:59:57.559Z

cve-icon NVD

Status : Analyzed

Published: 2025-07-26T04:16:06.190

Modified: 2025-08-26T16:57:00.143

Link: CVE-2025-54380

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2025-07-28T12:45:46Z