CVE Details
Basic Information
| Title | Opencast still publishes global system account credentials |
|---|---|
| Type | cve |
| Published | 2025-07-26T03:28:25.194Z |
| Modified | 2025-07-26T03:28:25.194Z |
Product Information
| Vendor | opencast |
|---|---|
| Product | opencast |
| Version | < 17.6 |
CVSS Information
| Base Score | 6.5 (MEDIUM) |
|---|---|
| Attack Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
Affected Products
- opencast opencast < 17.6
Additional Information
| CWE List | CWE-200, CWE-522 |
|---|---|
| Source | GitHub_M |
Description
Opencast is a free, open-source platform to support the management of educational audio and video content. Prior to version 17.6, Opencast would incorrectly send the hashed global system account credentials (ie: org.opencastproject.security.digest.user and org.opencastproject.security.digest.pass) when attempting to fetch mediapackage elements included in a mediapackage XML file. A previous CVE prevented many cases where the credentials were inappropriately sent, but not all. Anyone with ingest permissions could cause Opencast to send its hashed global system account credentials to a url of their choosing. This issue is fixed in Opencast 17.6.