CVE-2025-54996

Name
CVE-2025-54996
Description
OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 2.3.1 and below, accounts with access to highly-privileged identity entity systems in root namespaces were able to increase their scope directly to the root policy. While the identity system allowed adding arbitrary policies, which in turn could contain capability grants on arbitrary paths, the root policy was restricted to manual generation using unseal or recovery key shares. The global root policy was not accessible from child namespaces. This issue is fixed in version 2.3.2. To workaround this vulnerability, use of denied_parameters in any policy which has access to the affected identity endpoints (on identity entities) may be sufficient to prohibit this type of attack.
NVD Severity
medium
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://github.com/openbao/openbao/pull/1627
MISC https://github.com/openbao/openbao/releases/tag/v2.3.2
CONFIRM https://github.com/openbao/openbao/security/advisories/GHSA-vf84-mxrq-crqc

Match rules

CPE URI Source package Min version Max version
openbao >= 0 < 2.3.2

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
openbao edge-community 2.3.2-r0 Kevin Daudt <kdaudt@alpinelinux.org> fixed
openbao edge-community 2.3.1-r1 Kevin Daudt <kdaudt@alpinelinux.org> possibly vulnerable
openbao edge-community 2.3.1-r0 Kevin Daudt <kdaudt@alpinelinux.org> possibly vulnerable
openbao edge-community 2.2.2-r1 Kevin Daudt <kdaudt@alpinelinux.org> possibly vulnerable
openbao edge-community 2.2.2-r0 Kevin Daudt <kdaudt@alpinelinux.org> possibly vulnerable
openbao edge-community 2.2.1-r1 Kevin Daudt <kdaudt@alpinelinux.org> possibly vulnerable
openbao edge-community 2.2.1-r0 Kevin Daudt <kdaudt@alpinelinux.org> possibly vulnerable
openbao edge-community 2.2.0-r2 Kevin Daudt <kdaudt@alpinelinux.org> possibly vulnerable
openbao edge-community 2.2.0-r1 Kevin Daudt <kdaudt@alpinelinux.org> possibly vulnerable
openbao edge-community 2.2.0-r0 Kevin Daudt <kdaudt@alpinelinux.org> possibly vulnerable
openbao edge-community 2.1.0-r2 Kevin Daudt <kdaudt@alpinelinux.org> possibly vulnerable
openbao edge-community 2.1.0-r1 Kevin Daudt <kdaudt@alpinelinux.org> possibly vulnerable
openbao edge-community 2.1.0-r0 Kevin Daudt <kdaudt@alpinelinux.org> possibly vulnerable
openbao 3.22-community 2.3.1-r3 Kevin Daudt <kdaudt@alpinelinux.org> possibly vulnerable
openbao 3.22-community 2.3.1-r2 Kevin Daudt <kdaudt@alpinelinux.org> possibly vulnerable
openbao 3.22-community 2.3.1-r1 Kevin Daudt <kdaudt@alpinelinux.org> possibly vulnerable
openbao 3.22-community 2.1.0-r5 Kevin Daudt <kdaudt@alpinelinux.org> possibly vulnerable