CVE-2025-58435 (CNNVD-202509-1181)
中文标题:
Open OnDemand 安全漏洞
英文标题:
Open OnDemand didn't rotate password for VNC batch_connect
漏洞描述
中文描述:
Open OnDemand是Ohio Supercomputer Center开源的一个通过Web实现开放式交互式HPC的软件。 Open OnDemand 3.1.15和4.0.7之前版本存在安全漏洞,该漏洞源于密码轮换不当,可能导致会话劫持。
英文描述:
Open OnDemand is an open-source HPC portal. Prior to versions 3.1.15 and 4.0.7, noVNC interactive applications did not correctly rotate the password when TurboVNC was higher than version 3.1.2. The likelihood of exploitation is low as a user would need to share their link to an active desktop session and the other user would need to be authenticated to the portal. But obtaining the link would allow that user to perform any actions as the original user and access their data. Open OnDemand 3.1.15 and 4.0.7 have patched this vulnerability and correctly rotate passwords for any version of TurboVNC. As a workaround, downgrade TurboVNC to a version lower than 3.1.2.
CWE类型:
标签:
受影响产品
| 厂商 | 产品 | 版本 | 版本范围 | 平台 | CPE |
|---|---|---|---|---|---|
| OSC | ondemand | < 3.1.15 | - | - |
cpe:2.3:a:osc:ondemand:<_3.1.15:*:*:*:*:*:*:*
|
| OSC | ondemand | >= 4.0.0-0.rc1, < 4.0.7 | - | - |
cpe:2.3:a:osc:ondemand:>=_4.0.0-0.rc1,_<_4.0.7:*:*:*:*:*:*:*
|
解决方案
中文解决方案:
英文解决方案:
临时解决方案:
参考链接
cve.org
CVSS评分详情
4.0 (cna)
MEDIUMCVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U
时间信息
利用信息
数据源详情
| 数据源 | 记录ID | 版本 | 提取时间 |
|---|---|---|---|
| CVE | cve_CVE-2025-58435 |
2025-11-11 15:23:30 | 2025-11-11 07:40:45 |
| NVD | nvd_CVE-2025-58435 |
2025-11-11 15:01:02 | 2025-11-11 07:48:32 |
| CNNVD | cnnvd_CNNVD-202509-1181 |
2025-11-11 15:12:56 | 2025-11-11 08:00:09 |
版本与语言
安全公告
变更历史
查看详细变更
- vulnerability_type: 未提取 -> 其他
- cnnvd_id: 未提取 -> CNNVD-202509-1181
- data_sources: ['cve', 'nvd'] -> ['cnnvd', 'cve', 'nvd']
查看详细变更
- data_sources: ['cve'] -> ['cve', 'nvd']