Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:maven/org.opencastproject/opencast-publication-service-oaipmh-remote@18.5
purl pkg:maven/org.opencastproject/opencast-publication-service-oaipmh-remote@18.5
Vulnerabilities affecting this package (0)
Vulnerability Summary Fixed by
This package is not known to be affected by vulnerabilities.
Vulnerabilities fixed by this package (1)
Vulnerability Summary Aliases
VCID-fydj-m3vk-w3b4 Opencast still publishes global system account credentials ### Description Opencast prior to versions 17.6 would incorrectly send the hashed global system account credentials (ie: `org.opencastproject.security.digest.user` and `org.opencastproject.security.digest.pass`) when attempting to fetch mediapackage elements included in a mediapackage XML file. A [previous CVE](https://github.com/opencast/opencast/security/advisories/GHSA-hcxx-mp6g-6gr9) prevented many cases where the credentials were inappropriately sent, but not all. The remainder are addressed with this patch. ### Impact Anyone with ingest permissions could cause Opencast to send its hashed global system account credentials to a url of their choosing. ### Patches This issue is fixed in Opencast 17.6 If you have any questions or comments about this advisory: - Open an issue in our [issue tracker](https://github.com/opencast/opencast/issues) - Email us at security@opencast.org CVE-2025-54380
GHSA-j63h-hmgw-x4j7

Date Actor Action Vulnerability Source VulnerableCode Version
2026-05-30T07:33:45.025726+00:00 GitLab Importer Fixing VCID-fydj-m3vk-w3b4 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.opencastproject/opencast-publication-service-oaipmh-remote/CVE-2025-54380.yml 38.6.0