Description

Open OnDemand is an open-source HPC portal. Prior to versions 3.1.15 and 4.0.7, noVNC interactive applications did not correctly rotate the password when TurboVNC was higher than version 3.1.2. The likelihood of exploitation is low as a user would need to share their link to an active desktop session and the other user would need to be authenticated to the portal. But obtaining the link would allow that user to perform any actions as the original user and access their data. Open OnDemand 3.1.15 and 4.0.7 have patched this vulnerability and correctly rotate passwords for any version of TurboVNC. As a workaround, downgrade TurboVNC to a version lower than 3.1.2.

INFO

Published Date :

2025-09-09T19:43:47.379Z

Last Modified :

2025-09-10T13:54:22.197Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-58435 vulnerability.

Vendors Products
Osc
  • Open Ondemand
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-58435.

URL Resource
https://github.com/OSC/ondemand/security/advisories/GHSA-7vh8-mw9f-5r99 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability