CVE-2025-64761

Name
CVE-2025-64761
Description
OpenBao is an open source identity-based secrets management system. Prior to version 2.4.4, a privileged operator could use the identity group subsystem to add a root policy to a group identity group, escalating their or another user's permissions in the system. Specifically this is an issue when: an operator in the root namespace has access to identity/groups endpoints and an operator does not have policy access. Otherwise, an operator with policy access could create or modify an existing policy to grant root-equivalent permissions through the sudo capability. This issue has been patched in version 2.4.4.
NVD Severity
unknown
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://github.com/openbao/openbao/commit/16bb0ccd37a502930a289d434cbe4e7b4edd66e5
MISC https://github.com/openbao/openbao/pull/2143
CONFIRM https://github.com/openbao/openbao/security/advisories/GHSA-7ff4-jw48-3436

Match rules

CPE URI Source package Min version Max version
openbao >= 0 < 2.4.4
cpe:2.3:a:openbao:openbao:*:*:*:*:*:*:*:* openbao >= None < 2.4.4

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
openbao edge-community 2.4.3-r0 Kevin Daudt <kdaudt@alpinelinux.org> possibly vulnerable
openbao edge-community 2.4.1-r2 Kevin Daudt <kdaudt@alpinelinux.org> possibly vulnerable
openbao edge-community 2.4.1-r1 Kevin Daudt <kdaudt@alpinelinux.org> possibly vulnerable
openbao edge-community 2.4.1-r0 None possibly vulnerable
openbao edge-community 2.3.2-r1 Kevin Daudt <kdaudt@alpinelinux.org> possibly vulnerable
openbao edge-community 2.3.2-r0 Kevin Daudt <kdaudt@alpinelinux.org> possibly vulnerable
openbao edge-community 2.3.1-r1 Kevin Daudt <kdaudt@alpinelinux.org> possibly vulnerable
openbao edge-community 2.3.1-r0 Kevin Daudt <kdaudt@alpinelinux.org> possibly vulnerable
openbao edge-community 2.2.2-r1 Kevin Daudt <kdaudt@alpinelinux.org> possibly vulnerable
openbao edge-community 2.2.2-r0 Kevin Daudt <kdaudt@alpinelinux.org> possibly vulnerable
openbao edge-community 2.2.1-r1 Kevin Daudt <kdaudt@alpinelinux.org> possibly vulnerable
openbao edge-community 2.2.1-r0 Kevin Daudt <kdaudt@alpinelinux.org> possibly vulnerable
openbao edge-community 2.2.0-r2 Kevin Daudt <kdaudt@alpinelinux.org> possibly vulnerable
openbao edge-community 2.2.0-r1 Kevin Daudt <kdaudt@alpinelinux.org> possibly vulnerable
openbao edge-community 2.2.0-r0 Kevin Daudt <kdaudt@alpinelinux.org> possibly vulnerable
openbao edge-community 2.1.0-r2 Kevin Daudt <kdaudt@alpinelinux.org> possibly vulnerable
openbao edge-community 2.1.0-r1 Kevin Daudt <kdaudt@alpinelinux.org> possibly vulnerable
openbao edge-community 2.1.0-r0 Kevin Daudt <kdaudt@alpinelinux.org> possibly vulnerable
openbao 3.22-community 2.4.3-r1 Kevin Daudt <kdaudt@alpinelinux.org> possibly vulnerable
openbao 3.22-community 2.4.3-r0 Kevin Daudt <kdaudt@alpinelinux.org> possibly vulnerable
openbao 3.22-community 2.4.1-r0 None possibly vulnerable
openbao 3.22-community 2.3.2-r0 None possibly vulnerable
openbao 3.22-community 2.3.1-r3 Kevin Daudt <kdaudt@alpinelinux.org> possibly vulnerable
openbao 3.22-community 2.3.1-r2 Kevin Daudt <kdaudt@alpinelinux.org> possibly vulnerable
openbao 3.22-community 2.3.1-r1 Kevin Daudt <kdaudt@alpinelinux.org> possibly vulnerable
openbao 3.22-community 2.3.1-r0 None possibly vulnerable
openbao 3.22-community 2.2.2-r0 None possibly vulnerable
openbao 3.22-community 2.1.0-r5 Kevin Daudt <kdaudt@alpinelinux.org> possibly vulnerable