CVE-2025-55001

EPSS 0.03%
Veröffentlicht 09.08.2025 02:01:29
Zuletzt bearbeitet 12.08.2025 20:44:04
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 2.3.1 and below, OpenBao allowed the assignment of policies and MFA attribution based upon entity aliases, chosen by the underlying auth method. When the username_as_alias=true parameter in the LDAP auth method was in use, the caller-supplied username was used verbatim without normalization, allowing an attacker to bypass alias-specific MFA requirements. This issue was fixed in version 2.3.2. To work around this, remove all usage of the username_as_alias=true parameter and update any entity aliases accordingly.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Openbao ≫ Openbao Version < 2.3.2

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.03%	0.077

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	6.5	1.2	5.2	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

CWE-156 Improper Neutralization of Whitespace

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as whitespace when they are sent to a downstream component.

https://discuss.hashicorp.com/t/hcsec-2025-20-vault-ldap-mfa-enforcement-bypass-when-using-username-as-alias/76092

Not Applicable

https://github.com/openbao/openbao/commit/c52795c1ef746c7f2c510f9225aa8ccbbd44f9fc

Patch

https://github.com/openbao/openbao/security/advisories/GHSA-2q8q-8fgw-9p6p

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2025-55001

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-55001

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-55001

EUVD