VulnerableCode Package Details - pkg:maven/org.opencastproject/opencast-publication-service-oaipmh-remote@9.12

Staging Environment: Content and features may be unstable or change without notice.

Search for packages

Package details: pkg:maven/org.opencastproject/opencast-publication-service-oaipmh-remote@9.12

Essentials
History (1)

purl	pkg:maven/org.opencastproject/opencast-publication-service-oaipmh-remote@9.12

Next non-vulnerable version	18.5
Latest non-vulnerable version	18.5
Risk

Vulnerabilities affecting this package (1)

Vulnerability	Summary	Fixed by
VCID-fydj-m3vk-w3b4 Aliases: CVE-2025-54380 GHSA-j63h-hmgw-x4j7	Opencast still publishes global system account credentials ### Description Opencast prior to versions 17.6 would incorrectly send the hashed global system account credentials (ie: `org.opencastproject.security.digest.user` and `org.opencastproject.security.digest.pass`) when attempting to fetch mediapackage elements included in a mediapackage XML file. A [previous CVE](https://github.com/opencast/opencast/security/advisories/GHSA-hcxx-mp6g-6gr9) prevented many cases where the credentials were inappropriately sent, but not all. The remainder are addressed with this patch. ### Impact Anyone with ingest permissions could cause Opencast to send its hashed global system account credentials to a url of their choosing. ### Patches This issue is fixed in Opencast 17.6 If you have any questions or comments about this advisory: - Open an issue in our [issue tracker](https://github.com/opencast/opencast/issues) - Email us at security@opencast.org	17.6 Affected by 0 other vulnerabilities. 18.5 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-fydj-m3vk-w3b4
Aliases:
CVE-2025-54380
GHSA-j63h-hmgw-x4j7

Opencast still publishes global system account credentials ### Description Opencast prior to versions 17.6 would incorrectly send the hashed global system account credentials (ie: `org.opencastproject.security.digest.user` and `org.opencastproject.security.digest.pass`) when attempting to fetch mediapackage elements included in a mediapackage XML file. A [previous CVE](https://github.com/opencast/opencast/security/advisories/GHSA-hcxx-mp6g-6gr9) prevented many cases where the credentials were inappropriately sent, but not all. The remainder are addressed with this patch. ### Impact Anyone with ingest permissions could cause Opencast to send its hashed global system account credentials to a url of their choosing. ### Patches This issue is fixed in Opencast 17.6 If you have any questions or comments about this advisory: - Open an issue in our [issue tracker](https://github.com/opencast/opencast/issues) - Email us at security@opencast.org

17.6
Affected by 0 other vulnerabilities.

18.5
Affected by 0 other vulnerabilities.

Vulnerabilities fixed by this package (0)

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-05-30T07:33:44.555363+00:00	GitLab Importer	Affected by	VCID-fydj-m3vk-w3b4	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.opencastproject/opencast-publication-service-oaipmh-remote/CVE-2025-54380.yml	38.6.0