VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-fydj-m3vk-w3b4

Essentials
Severities (16)
References (8)
Severity details (15)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-fydj-m3vk-w3b4
Aliases	CVE-2025-54380 GHSA-j63h-hmgw-x4j7
Summary	Opencast still publishes global system account credentials ### Description Opencast prior to versions 17.6 would incorrectly send the hashed global system account credentials (ie: `org.opencastproject.security.digest.user` and `org.opencastproject.security.digest.pass`) when attempting to fetch mediapackage elements included in a mediapackage XML file. A [previous CVE](https://github.com/opencast/opencast/security/advisories/GHSA-hcxx-mp6g-6gr9) prevented many cases where the credentials were inappropriately sent, but not all. The remainder are addressed with this patch. ### Impact Anyone with ingest permissions could cause Opencast to send its hashed global system account credentials to a url of their choosing. ### Patches This issue is fixed in Opencast 17.6 If you have any questions or comments about this advisory: - Open an issue in our [issue tracker](https://github.com/opencast/opencast/issues) - Email us at security@opencast.org
Status	Published
Exploitability	None
Weighted Severity	None
Risk	None
Affected and Fixed Packages	Package Details

Weaknesses (4)

CWE-200	Exposure of Sensitive Information to an Unauthorized Actor
CWE-522	Insufficiently Protected Credentials
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
epss	0.00189	https://api.first.org/data/v1/epss?cve=CVE-2025-54380
cvssv3.1	6.5	https://github.com/opencast/opencast
generic_textual	MODERATE	https://github.com/opencast/opencast
cvssv3.1	6.5	https://github.com/opencast/opencast/commit/2d3219113e2b9fadfb06443f5468b1c2157827a6
generic_textual	MODERATE	https://github.com/opencast/opencast/commit/2d3219113e2b9fadfb06443f5468b1c2157827a6
cvssv3.1	6.5	https://github.com/opencast/opencast/commit/e8980435342149375802648b9c9e696c9a5f0c9a
generic_textual	MODERATE	https://github.com/opencast/opencast/commit/e8980435342149375802648b9c9e696c9a5f0c9a
ssvc	Track	https://github.com/opencast/opencast/commit/e8980435342149375802648b9c9e696c9a5f0c9a
cvssv3.1	6.5	https://github.com/opencast/opencast/security/advisories/GHSA-hcxx-mp6g-6gr9
generic_textual	MODERATE	https://github.com/opencast/opencast/security/advisories/GHSA-hcxx-mp6g-6gr9
ssvc	Track	https://github.com/opencast/opencast/security/advisories/GHSA-hcxx-mp6g-6gr9
cvssv3.1	6.5	https://github.com/opencast/opencast/security/advisories/GHSA-j63h-hmgw-x4j7
generic_textual	MODERATE	https://github.com/opencast/opencast/security/advisories/GHSA-j63h-hmgw-x4j7
ssvc	Track	https://github.com/opencast/opencast/security/advisories/GHSA-j63h-hmgw-x4j7
cvssv3.1	6.5	https://nvd.nist.gov/vuln/detail/CVE-2025-54380
generic_textual	MODERATE	https://nvd.nist.gov/vuln/detail/CVE-2025-54380

Reference id	Reference type	URL
		https://api.first.org/data/v1/epss?cve=CVE-2025-54380
		https://github.com/opencast/opencast
		https://github.com/opencast/opencast/commit/2d3219113e2b9fadfb06443f5468b1c2157827a6
		https://github.com/opencast/opencast/commit/e8980435342149375802648b9c9e696c9a5f0c9a
		https://github.com/opencast/opencast/security/advisories/GHSA-hcxx-mp6g-6gr9
		https://github.com/opencast/opencast/security/advisories/GHSA-j63h-hmgw-x4j7
		https://nvd.nist.gov/vuln/detail/CVE-2025-54380
GHSA-j63h-hmgw-x4j7		https://github.com/advisories/GHSA-j63h-hmgw-x4j7

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/opencast/opencast

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/opencast/opencast/commit/2d3219113e2b9fadfb06443f5468b1c2157827a6

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/opencast/opencast/commit/e8980435342149375802648b9c9e696c9a5f0c9a

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-28T18:59:53Z/ Found at https://github.com/opencast/opencast/commit/e8980435342149375802648b9c9e696c9a5f0c9a

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/opencast/opencast/security/advisories/GHSA-hcxx-mp6g-6gr9

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-28T18:59:53Z/ Found at https://github.com/opencast/opencast/security/advisories/GHSA-hcxx-mp6g-6gr9

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/opencast/opencast/security/advisories/GHSA-j63h-hmgw-x4j7

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-28T18:59:53Z/ Found at https://github.com/opencast/opencast/security/advisories/GHSA-j63h-hmgw-x4j7

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2025-54380

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.40554
EPSS Score	0.00189
Published At	May 29, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-05-29T09:02:16.165184+00:00	GithubOSV Importer	Import	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-j63h-hmgw-x4j7/GHSA-j63h-hmgw-x4j7.json	38.6.0