VYPR
Get started
← All advisories
Medium severityOSV Advisory· Published Sep 9, 2025· Updated Apr 15, 2026

CVE-2025-58435

CVE-2025-58435

Description

Open OnDemand is an open-source HPC portal. Prior to versions 3.1.15 and 4.0.7, noVNC interactive applications did not correctly rotate the password when TurboVNC was higher than version 3.1.2. The likelihood of exploitation is low as a user would need to share their link to an active desktop session and the other user would need to be authenticated to the portal. But obtaining the link would allow that user to perform any actions as the original user and access their data. Open OnDemand 3.1.15 and 4.0.7 have patched this vulnerability and correctly rotate passwords for any version of TurboVNC. As a workaround, downgrade TurboVNC to a version lower than 3.1.2.

Affected products

1

Patches

2
819c23ed466b

Merge pull request #4542 from OSC/30-fix-release-wf

https://github.com/osc/ondemandJeff OhrstromAug 18, 2025via osv
commit
7 files changed · +21 0
  • .github/workflows/changelog.yml+3 0 modified
    @@ -10,6 +10,9 @@ defaults:
   run:
     shell: bash
 
+permissions:
+  contents: read
+
 jobs:
   update-dependencies:
     strategy:
  • .github/workflows/document-merge.yml+3 0 modified
    @@ -9,6 +9,9 @@ on:
       - 'release_**'
     types: [closed]
 
+permissions:
+  contents: read
+
 jobs:
   # Create an issue on the documentation repository to document whatever was just pulled in.
   create-doc-issue:
  • .github/workflows/issue-lifecycle.yml+3 0 modified
    @@ -5,6 +5,9 @@ on:
   issues:
     types: [opened]
 
+permissions:
+  issues: read
+
 jobs:
   # If the created issue does not have a milestone attached to it, assign the issue to the "Needs Triaged" milestone
   assign-milestone:
  • .github/workflows/lint.yml+3 0 modified
    @@ -10,6 +10,9 @@ defaults:
   run:
     shell: bash
 
+permissions:
+  contents: read
+
 jobs:
   update-dependencies:
     strategy:
  • .github/workflows/pr-labeler.yml+3 0 modified
    @@ -6,6 +6,9 @@ on:
   workflow_dispatch:
   pull_request_target:
 
+permissions:
+  pull-requests: read
+
 jobs:
   triage:
     name: Add labels to PR
  • .github/workflows/release.yml+3 0 modified
    @@ -5,6 +5,9 @@ on:
     tags:
       - '*'
 
+permissions:
+  contents: write
+
 jobs:
   release:
     runs-on: ubuntu-latest
  • .github/workflows/update.yml+3 0 modified
    @@ -6,6 +6,9 @@ on:
     # every Monday morning
     - cron:  '0 3 * * 1'
 
+permissions:
+  contents: read
+
 jobs:
   update-dependencies:
     strategy:
73da684f4900

bump ood_core to latest version (#4536)

https://github.com/osc/ondemandJeff OhrstromAug 14, 2025via osv
commit
2 files changed · +2 2
  • apps/dashboard/Gemfile.lock+1 1 modified
    @@ -188,7 +188,7 @@ GEM
       ood_core (~> 0.1)
       rails (>= 6.0.0)
       redcarpet (~> 3.2)
-    ood_core (0.27.1)
+    ood_core (0.29.0)
       ffi (~> 1.16.3)
       ood_support (~> 0.0.2)
       rexml (~> 3.2)
  • apps/myjobs/Gemfile.lock+1 1 modified
    @@ -158,7 +158,7 @@ GEM
       ood_core (~> 0.1)
       rails (>= 6.0.0)
       redcarpet (~> 3.2)
-    ood_core (0.27.1)
+    ood_core (0.29.0)
       ffi (~> 1.16.3)
       ood_support (~> 0.0.2)
       rexml (~> 3.2)

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.