cve-2025-54996
Vulnerability from cvelistv5
Published
2025-08-09 01:32
Modified
2025-08-11 13:53
Severity ?
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Summary
OpenBao Root Namespace Operator May Elevate Token Privileges
References
security-advisories@github.comhttps://github.com/openbao/openbao/pull/1627Issue Tracking
security-advisories@github.comhttps://github.com/openbao/openbao/releases/tag/v2.3.2Release Notes
security-advisories@github.comhttps://github.com/openbao/openbao/security/advisories/GHSA-vf84-mxrq-crqcVendor Advisory
Impacted products
openbaoopenbao
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-54996",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-08-11T13:53:29.919832Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-08-11T13:53:47.409Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "openbao",
          "vendor": "openbao",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2.3.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 2.3.1 and below, accounts with access to highly-privileged identity entity systems in root namespaces were able to increase their scope directly to the root policy. While the identity system allowed adding arbitrary policies, which in turn could contain capability grants on arbitrary paths, the root policy was restricted to manual generation using unseal or recovery key shares. The global root policy was not accessible from child namespaces. This issue is fixed in version 2.3.2. To workaround this vulnerability, use of denied_parameters in any policy which has access to the affected identity endpoints (on identity entities) may be sufficient to prohibit this type of attack."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-269",
              "description": "CWE-269: Improper Privilege Management",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-09T01:32:09.953Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/openbao/openbao/security/advisories/GHSA-vf84-mxrq-crqc",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/openbao/openbao/security/advisories/GHSA-vf84-mxrq-crqc"
        },
        {
          "name": "https://github.com/openbao/openbao/pull/1627",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/openbao/openbao/pull/1627"
        },
        {
          "name": "https://github.com/openbao/openbao/releases/tag/v2.3.2",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/openbao/openbao/releases/tag/v2.3.2"
        }
      ],
      "source": {
        "advisory": "GHSA-vf84-mxrq-crqc",
        "discovery": "UNKNOWN"
      },
      "title": "OpenBao Root Namespace Operator May Elevate Token Privileges"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-54996",
    "datePublished": "2025-08-09T01:32:09.953Z",
    "dateReserved": "2025-08-04T17:34:24.420Z",
    "dateUpdated": "2025-08-11T13:53:47.409Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-54996\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-08-09T02:15:37.887\",\"lastModified\":\"2025-08-12T20:51:06.020\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 2.3.1 and below, accounts with access to highly-privileged identity entity systems in root namespaces were able to increase their scope directly to the root policy. While the identity system allowed adding arbitrary policies, which in turn could contain capability grants on arbitrary paths, the root policy was restricted to manual generation using unseal or recovery key shares. The global root policy was not accessible from child namespaces. This issue is fixed in version 2.3.2. To workaround this vulnerability, use of denied_parameters in any policy which has access to the affected identity endpoints (on identity entities) may be sufficient to prohibit this type of attack.\"},{\"lang\":\"es\",\"value\":\"OpenBao existe para proporcionar una soluci\u00f3n de software que permite gestionar, almacenar y distribuir datos confidenciales, como secretos, certificados y claves. En las versiones 2.3.1 y anteriores, las cuentas con acceso a sistemas de entidades de identidad con privilegios elevados en espacios de nombres ra\u00edz pod\u00edan ampliar su alcance directamente a la pol\u00edtica ra\u00edz. Si bien el sistema de identidad permit\u00eda a\u00f1adir pol\u00edticas arbitrarias, que a su vez pod\u00edan contener concesiones de capacidad en rutas arbitrarias, la pol\u00edtica ra\u00edz se limitaba a la generaci\u00f3n manual mediante recursos compartidos de claves de recuperaci\u00f3n o desbloqueo. La pol\u00edtica ra\u00edz global no era accesible desde los espacios de nombres secundarios. Este problema se solucion\u00f3 en la versi\u00f3n 2.3.2. Para solucionar esta vulnerabilidad, el uso de \\\"denegated_parameters\\\" en cualquier pol\u00edtica que tenga acceso a los endpoints de identidad afectados (en entidades de identidad) podr\u00eda ser suficiente para impedir este tipo de ataque.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.2,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.2,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-269\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:openbao:openbao:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.3.2\",\"matchCriteriaId\":\"5572B591-02AC-4B8F-8956-FC9A606D7F32\"}]}]}],\"references\":[{\"url\":\"https://github.com/openbao/openbao/pull/1627\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Issue Tracking\"]},{\"url\":\"https://github.com/openbao/openbao/releases/tag/v2.3.2\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/openbao/openbao/security/advisories/GHSA-vf84-mxrq-crqc\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.