Primary

Context

Open OnDemand Password Rotation Vulnerability in noVNC Interactive Applications

Vulnerability

Patched

A vulnerability exists in Open OnDemand versions through 3.1.14 and 4.0.6, where noVNC interactive applications fail to properly rotate passwords when TurboVNC is used in versions higher than 3.1.2. This issue allows a user to share a link to an active desktop session, potentially letting another authenticated user perform actions and access data as the original user.

Impact

Exploitation of this vulnerability could lead to unauthorized access and actions performed on behalf of the original user, including access to their data.

Remediation

Users can upgrade to Open OnDemand versions 3.1.15 or 4.0.7, which have fixed this vulnerability by ensuring proper password rotation for all TurboVNC versions. Alternatively, TurboVNC can be downgraded to a version lower than 3.1.2.

Added: Sep 9, 2025, 8:24 PM

Updated: Sep 9, 2025, 8:24 PM

Vulnerability Rating

Custom Algorithm

spread

1.9

impact

1.3

exploitability

5.0

remediation

7.7

relevance

0.5

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.9

impact

1.3

exploitability

5.0

remediation

7.7

relevance

0.5

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Open OnDemand Password Rotation Vulnerability in noVNC Interactive Applications

Vulnerability

Impact

Remediation

Affected Products

Open OnDemand

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating