CVE-2025-54380

Description

### Description Opencast prior to versions 17.6 would incorrectly send the hashed global system account credentials (ie: `org.opencastproject.security.digest.user` and `org.opencastproject.security.digest.pass`) when attempting to fetch mediapackage elements included in a mediapackage XML file. A [previous CVE](https://github.com/opencast/opencast/security/advisories/GHSA-hcxx-mp6g-6gr9) prevented many cases where the credentials were inappropriately sent, but not all. The remainder are addressed with this patch. ### Impact Anyone with ingest permissions could cause Opencast to send its hashed global system account credentials to a url of their choosing. ### Patches This issue is fixed in Opencast 17.6 If you have any questions or comments about this advisory: - Open an issue in our [issue tracker](https://github.com/opencast/opencast/issues) - Email us at security@opencast.org

How to fix CVE-2025-54380

To remediate CVE-2025-54380, upgrade the affected package to a fixed version below.

• —upgrade to 17.6 or later
• —upgrade to 17.6 or later
• —upgrade to 17.6 or later
• —upgrade to 17.6 or later

Is CVE-2025-54380 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (4)

• from 0, < 17.6
• from 0, < 17.6
• from 0, < 17.6
• from 0, < 17.6

CVSS scores

References (6)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-54380
• PATCHgithub.com/opencast/opencast
• WEBgithub.com/opencast/opencast/commit/2d3219113e2b9fadfb06443f5468b1c2157827a6
• WEBgithub.com/opencast/opencast/commit/e8980435342149375802648b9c9e696c9a5f0c9a