Andyuea

Name of the Vulnerable Software and Affected Versions: Open OnDemand versions prior to 3.1.15 Open OnDemand versions prior to 4.0.7 Description: Open OnDemand is an open-source HPC portal. Prior to versions 3.1.15 and 4.0.7, noVNC interactive applications did not correctly rotate the password when TurboVNC was higher than version 3.1.2. Exploitation requires a user to share their link to an active desktop session, and the attacker must be authenticated to the portal. Successful exploitation would allow an attacker to perform actions as the original user and access their data. Recommendations: Update to Open OnDemand version 3.1.15 or later. Update to Open OnDemand version 4.0.7 or later. As a workaround, downgrade TurboVNC to a version lower than 3.1.2.