CVE-2025-54380: 
Java vulnerability analysis and mitigation

CVE-2025-54380 affects Opencast, a free, open-source platform for managing educational audio and video content. The vulnerability was discovered and disclosed on July 26, 2025, affecting versions prior to 17.6. The issue involves the incorrect transmission of hashed global system account credentials when fetching mediapackage elements included in a mediapackage XML file (GitHub Advisory).

The vulnerability is classified with a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. The issue specifically involves the exposure of org.opencastproject.security.digest.user and org.opencastproject.security.digest.pass credentials. This vulnerability is categorized under CWE-522 (Insufficiently Protected Credentials) and CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) (NVD, GitHub Advisory).

The vulnerability allows any user with ingest permissions to cause Opencast to send its hashed global system account credentials to an arbitrary URL of their choosing. While a previous CVE had mitigated many cases of inappropriate credential transmission, some cases remained vulnerable (GitHub Advisory).

The vulnerability has been fixed in Opencast version 17.6. No workarounds are available for earlier versions, making upgrading to version 17.6 or later the only solution (GitHub Advisory).