CVE-2025-54380
BaseFortify
Publication date: 2025-07-26
Last updated on: 2025-08-26
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apereo | opencast | to 17.6 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
| CWE-522 | The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-54380 is a vulnerability in Opencast versions prior to 17.6 where the system incorrectly sends hashed global system account credentials (specifically org.opencastproject.security.digest.user and org.opencastproject.security.digest.pass) when fetching mediapackage elements included in a mediapackage XML file. Any user with ingest permissions can cause Opencast to send these hashed credentials to a URL of their choosing, potentially exposing sensitive authentication information to unauthorized external services. The issue arises because Opencast did not properly restrict sending credentials only to trusted internal cluster nodes, allowing credentials to be leaked to external hosts. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can lead to exposure of hashed global system account credentials to unauthorized external entities. An attacker with ingest permissions could exploit this to obtain these credentials by causing Opencast to send them to a malicious URL. Although the credentials are hashed, their exposure still represents a significant security risk, potentially allowing attackers to impersonate the system account or gain unauthorized access to sensitive resources. This could compromise the confidentiality of the system without affecting integrity or availability. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring network traffic for HTTP requests sent from Opencast to external or untrusted URLs that include hashed global system account credentials (specifically the headers related to org.opencastproject.security.digest.user and org.opencastproject.security.digest.pass). You can use network packet capture tools such as tcpdump or Wireshark to filter HTTP traffic and look for these credential headers being sent to unexpected external hosts. For example, a command to capture HTTP traffic on port 80 or 443 and filter for credential patterns might be: tcpdump -i any -A 'tcp port 80 or tcp port 443' | grep -i 'Authorization: Digest' or similar. Additionally, reviewing Opencast logs for any HTTP requests made to external URLs with authentication headers may help detect exploitation attempts. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading Opencast to version 17.6 or later, where the vulnerability is fixed by restricting authentication requests to trusted cluster nodes only. If upgrading is not immediately possible, restrict network access to prevent Opencast from making HTTP requests to untrusted external hosts, especially those that could receive authentication credentials. Additionally, review and limit user permissions to reduce the number of users with ingest permissions, as any user with ingest permissions can trigger the credential leak. There is no known workaround for affected versions prior to 17.6. [1, 2]