{"url":"http://public2.vulnerablecode.io/api/packages/129011?format=json","purl":"pkg:golang/github.com/openbao/openbao@0.0.0-20250807212521-c52795c1ef74","type":"golang","namespace":"github.com/openbao","name":"openbao","version":"0.0.0-20250807212521-c52795c1ef74","qualifiers":{},"subpath":"","is_vulnerable":false,"next_non_vulnerable_version":"0.0.0-20251022165510-cc2c476bac66","latest_non_vulnerable_version":"2.5.4","affected_by_vulnerabilities":[],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/101427?format=json","vulnerability_id":"VCID-ffcm-ytdy-dbg3","summary":"OpenBao LDAP MFA Enforcement Bypass When Using Username As Alias\n### Impact\n\nOpenBao allows assignment of policies and MFA attribution based upon entity aliases, chosen by the underlying auth method. When using the `username_as_alias=true` parameter in the LDAP auth method, the caller-supplied username is used verbatim without normalization, allowing an attacker to bypass alias-specific MFA requirements.\n\n### Patches\n\nOpenBao v2.3.2 will patch this issue.\n\n### Workarounds\n\nLDAP methods are only vulnerable if using `username_as_alias=true`. Remove all usage of this parameter and update any entity aliases accordingly.\n\n### References\n\nThis issue was disclosed to HashiCorp and is the OpenBao equivalent of the following tickets:\n\n- https://discuss.hashicorp.com/t/hcsec-2025-20-vault-ldap-mfa-enforcement-bypass-when-using-username-as-alias/76092\n- https://nvd.nist.gov/vuln/detail/CVE-2025-6013","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-55001","reference_id":"","reference_type":"","scores":[{"value":"0.00182","scoring_system":"epss","scoring_elements":"0.39726","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00182","scoring_system":"epss","scoring_elements":"0.39709","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00182","scoring_system":"epss","scoring_elements":"0.39736","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00182","scoring_system":"epss","scoring_elements":"0.39762","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00182","scoring_system":"epss","scoring_elements":"0.39759","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-55001"},{"reference_url":"https://discuss.hashicorp.com/t/hcsec-2025-20-vault-ldap-mfa-enforcement-bypass-when-using-username-as-alias/76092","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-08-11T14:45:22Z/"}],"url":"https://discuss.hashicorp.com/t/hcsec-2025-20-vault-ldap-mfa-enforcement-bypass-when-using-username-as-alias/76092"},{"reference_url":"https://github.com/openbao/openbao","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openbao/openbao"},{"reference_url":"https://github.com/openbao/openbao/commit/c52795c1ef746c7f2c510f9225aa8ccbbd44f9fc","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-08-11T14:45:22Z/"}],"url":"https://github.com/openbao/openbao/commit/c52795c1ef746c7f2c510f9225aa8ccbbd44f9fc"},{"reference_url":"https://github.com/openbao/openbao/security/advisories/GHSA-2q8q-8fgw-9p6p","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-08-11T14:45:22Z/"}],"url":"https://github.com/openbao/openbao/security/advisories/GHSA-2q8q-8fgw-9p6p"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-55001","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-55001"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-6013","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-6013"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/129011?format=json","purl":"pkg:golang/github.com/openbao/openbao@0.0.0-20250807212521-c52795c1ef74","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:golang/github.com/openbao/openbao@0.0.0-20250807212521-c52795c1ef74"},{"url":"http://public2.vulnerablecode.io/api/packages/128965?format=json","purl":"pkg:golang/github.com/openbao/openbao@2.3.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:golang/github.com/openbao/openbao@2.3.2"}],"aliases":["CVE-2025-55001","GHSA-2q8q-8fgw-9p6p"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ffcm-ytdy-dbg3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/100986?format=json","vulnerability_id":"VCID-u8mg-vk5f-1fam","summary":"OpenBao Userpass and LDAP User Lockout Bypass\n### Impact\n\nAttackers could bypass the automatic user lockout mechanisms in the OpenBao Userpass or LDAP auth systems. This was caused by different aliasing between pre-flight and full login request user entity alias attributions. \n\n### Patches\n\nOpenBao v2.3.2 will patch this issue.\n\n### Workarounds\n\nExisting users may apply rate-limiting quotas on the authentication endpoints: https://openbao.org/api-docs/system/rate-limit-quotas/\n\n### References\n\nThis issue was disclosed to HashiCorp and is the OpenBao equivalent of the following tickets:\n\n- https://discuss.hashicorp.com/t/hcsec-2025-16-vault-userpass-and-ldap-user-lockout-bypass/76035\n- https://nvd.nist.gov/vuln/detail/CVE-2025-6004","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-54998","reference_id":"","reference_type":"","scores":[{"value":"0.00161","scoring_system":"epss","scoring_elements":"0.36793","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00161","scoring_system":"epss","scoring_elements":"0.3678","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00161","scoring_system":"epss","scoring_elements":"0.36818","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00161","scoring_system":"epss","scoring_elements":"0.36853","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00161","scoring_system":"epss","scoring_elements":"0.36847","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-54998"},{"reference_url":"https://discuss.hashicorp.com/t/hcsec-2025-16-vault-userpass-and-ldap-user-lockout-bypass/76035","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-08-11T14:38:13Z/"}],"url":"https://discuss.hashicorp.com/t/hcsec-2025-16-vault-userpass-and-ldap-user-lockout-bypass/76035"},{"reference_url":"https://github.com/openbao/openbao","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openbao/openbao"},{"reference_url":"https://github.com/openbao/openbao/commit/c52795c1ef746c7f2c510f9225aa8ccbbd44f9fc","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-08-11T14:38:13Z/"}],"url":"https://github.com/openbao/openbao/commit/c52795c1ef746c7f2c510f9225aa8ccbbd44f9fc"},{"reference_url":"https://github.com/openbao/openbao/security/advisories/GHSA-j3xv-7fxp-gfhx","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-08-11T14:38:13Z/"}],"url":"https://github.com/openbao/openbao/security/advisories/GHSA-j3xv-7fxp-gfhx"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-54998","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-54998"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-6004","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-6004"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/129011?format=json","purl":"pkg:golang/github.com/openbao/openbao@0.0.0-20250807212521-c52795c1ef74","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:golang/github.com/openbao/openbao@0.0.0-20250807212521-c52795c1ef74"},{"url":"http://public2.vulnerablecode.io/api/packages/128965?format=json","purl":"pkg:golang/github.com/openbao/openbao@2.3.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:golang/github.com/openbao/openbao@2.3.2"}],"aliases":["CVE-2025-54998","GHSA-j3xv-7fxp-gfhx"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-u8mg-vk5f-1fam"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:golang/github.com/openbao/openbao@0.0.0-20250807212521-c52795c1ef74"}