x/vulndb: potential Go vuln in github.com/openbao/openbao: GHSA-vf84-mxrq-crqc #3857
Description
Advisory GHSA-vf84-mxrq-crqc references a vulnerability in the following Go modules:
| Module |
|---|
| github.com/openbao/openbao |
Description:
Impact
Accounts with access to the highly-privileged identity entity system in the root namespace may increase their scope directly to the root policy. While the identity system always allowed adding arbitrary policies, which in turn could contain capability grants on arbitrary paths, the root policy is restricted to manual generation using unseal or recovery key shares. The global root policy is not accessible from child namespaces.
Patches
OpenBao v2.3.2 will patch this issue.
Workarounds
Use of denied_parameters in any policy which has access to the affected identit...
References:
- ADVISORY: GHSA-vf84-mxrq-crqc
- ADVISORY: GHSA-vf84-mxrq-crqc
- FIX: openbao/openbao@9b0b5d4
- WEB: https://discuss.hashicorp.com/t/hcsec-2025-13-vault-root-namespace-operator-may-elevate-token-privileges/76032
- WEB: https://nvd.nist.gov/vuln/detail/cve-2025-5999
No existing reports found with this module or alias.
See doc/quickstart.md for instructions on how to triage this report.
id: GO-ID-PENDING
modules:
- module: github.com/openbao/openbao
versions:
- fixed: 0.0.0-20250806193240-9b0b5d4f345f
- introduced: 0.1.0
non_go_versions:
- fixed: 2.3.2
summary: OpenBao Root Namespace Operator May Elevate Token Privileges in github.com/openbao/openbao
cves:
- CVE-2025-54996
ghsas:
- GHSA-vf84-mxrq-crqc
references:
- advisory: https://github.com/advisories/GHSA-vf84-mxrq-crqc
- advisory: https://github.com/openbao/openbao/security/advisories/GHSA-vf84-mxrq-crqc
- fix: https://github.com/openbao/openbao/commit/9b0b5d4f345fdfb1065956f042b12cbd86cd6e0f
- web: https://discuss.hashicorp.com/t/hcsec-2025-13-vault-root-namespace-operator-may-elevate-token-privileges/76032
- web: https://nvd.nist.gov/vuln/detail/cve-2025-5999
notes:
- fix: 'github.com/openbao/openbao: could not add vulnerable_at: latest version (0.0.0-20250808111916-d645c4300d72) is before last introduced version'
source:
id: GHSA-vf84-mxrq-crqc
created: 2025-08-08T15:01:27.016515548Z
review_status: UNREVIEWED