VYPR

Ondemand

by Osc

Source repositories

CVEs (7)

  • CVE-2025-64185MedNov 20, 2025
    risk 0.45cvss epss 0.00

    Open OnDemand is an open-source HPC portal. Prior to versions 4.0.8 and 3.1.16, Open OnDemand packages create world writable locations in the GEM_PATH. Open OnDemand versions 4.0.8 and 3.1.16 have been patched for this vulnerability.

  • CVE-2025-62724MedNov 20, 2025
    risk 0.28cvss 4.3epss 0.00

    Open OnDemand is an open-source HPC portal. Prior to versions 4.0.8 and 3.1.16, users can craft a "Time of Check to Time of Use" (TOCTOU) attack when downloading zip files to access files outside of the OOD_ALLOWLIST. This vulnerability impacts sites that use the file browser…

  • CVE-2025-53636MedJul 11, 2025
    risk 0.28cvss 5.4epss 0.00

    Open OnDemand is an open-source HPC portal. Users can flood logs by interacting with the shell app and generating many errors. Users who flood logs can create very large log files causing a Denial of Service (DoS) to the ondemand system. This vulnerability is fixed in 3.1.14 and…

  • CVE-2025-58435MedSep 9, 2025
    risk 0.20cvss epss 0.00

    Open OnDemand is an open-source HPC portal. Prior to versions 3.1.15 and 4.0.7, noVNC interactive applications did not correctly rotate the password when TurboVNC was higher than version 3.1.2. The likelihood of exploitation is low as a user would need to share their link to an…

  • CVE-2026-26002Mar 4, 2026
    risk 0.00cvss epss 0.01

    Open OnDemand is an open-source high-performance computing portal. The Files application in OnDemand versions prior to 4.0.9 and 4.1.3 is susceptible to malicious input when navigating to a directory. This has been patched in versions 4.0.9 and 4.1.3. Versions below this remain…

  • CVE-2025-66029Dec 17, 2025
    risk 0.00cvss epss 0.00

    Open OnDemand provides remote web access to supercomputers. In versions 4.0.8 and prior, the Apache proxy allows sensitive headers to be passed to origin servers. This means malicious users can create an origin server on a compute node that record these headers when unsuspecting…

  • CVE-2020-27958Feb 26, 2022
    risk 0.00cvss epss 0.01

    The Job Composer app in Ohio Supercomputer Center Open OnDemand before 1.7.19 and 1.8.x before 1.8.18 allows remote authenticated users to provide crafted input in a job template.