{"url":"http://public2.vulnerablecode.io/api/packages/493755?format=json","purl":"pkg:apk/alpine/openbao@2.4.3-r0?arch=x86_64&distroversion=v3.22&reponame=community","type":"apk","namespace":"alpine","name":"openbao","version":"2.4.3-r0","qualifiers":{"arch":"x86_64","distroversion":"v3.22","reponame":"community"},"subpath":"","is_vulnerable":false,"next_non_vulnerable_version":null,"latest_non_vulnerable_version":null,"affected_by_vulnerabilities":[],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/96870?format=json","vulnerability_id":"VCID-9a8j-ngdz-zug2","summary":"OpenBao and Vault Leak []byte Fields in Audit Logs\n### Impact\n\nOpenBao's audit log did not appropriately redact fields when relevant subsystems sent `[]byte` response parameters rather than `string`s. This includes, but is not limited to:\n\n- `sys/raw` with use of `encoding=base64`, all data would be emitted unredacted to the audit log.\n- Transit, when performing a signing operation with a derived Ed25519 key, would emit public keys to the audit log.\n\nThird-party plugins may be affected.\n\nThis issue has been present since HashiCorp Vault and continues to impact Vault as of v1.20.4. \n\n### Patches\n\nOpenBao v2.4.2 will patch this issue.\n\n### Workarounds\n\nIf users do not use the above functionality, they are not impacted. To prohibit the use of `sys/raw` globally, ensure `raw_storage_endpoint=false` is set or missing from the server configuration.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-62705","reference_id":"","reference_type":"","scores":[{"value":"0.00047","scoring_system":"epss","scoring_elements":"0.14993","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00047","scoring_system":"epss","scoring_elements":"0.14892","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00047","scoring_system":"epss","scoring_elements":"0.14867","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00047","scoring_system":"epss","scoring_elements":"0.14949","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00047","scoring_system":"epss","scoring_elements":"0.1499","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-62705"},{"reference_url":"https://github.com/openbao/openbao","reference_id":"","reference_type":"","scores":[{"value":"5.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openbao/openbao"},{"reference_url":"https://github.com/openbao/openbao/commit/cc2c476bac66e1d94776c2629793daec3af625f8","reference_id":"","reference_type":"","scores":[{"value":"5.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-23T15:48:38Z/"}],"url":"https://github.com/openbao/openbao/commit/cc2c476bac66e1d94776c2629793daec3af625f8"},{"reference_url":"https://github.com/openbao/openbao/security/advisories/GHSA-rc54-2g2c-g36g","reference_id":"","reference_type":"","scores":[{"value":"5.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-23T15:48:38Z/"}],"url":"https://github.com/openbao/openbao/security/advisories/GHSA-rc54-2g2c-g36g"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-62705","reference_id":"","reference_type":"","scores":[{"value":"5.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-62705"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/493755?format=json","purl":"pkg:apk/alpine/openbao@2.4.3-r0?arch=x86_64&distroversion=v3.22&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/openbao@2.4.3-r0%3Farch=x86_64&distroversion=v3.22&reponame=community"}],"aliases":["CVE-2025-62705","GHSA-rc54-2g2c-g36g"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-9a8j-ngdz-zug2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/97485?format=json","vulnerability_id":"VCID-u8gq-f3c2-qqee","summary":"OpenBao leaks HTTPRawBody in Audit Logs\n### Impact\n\nOpenBao's audit log experienced a regression wherein raw HTTP bodies used by few endpoints were not correctly redacted (HMAC'd).  This impacted the following subsystems:\n\n - When using the ACME functionality of PKI, this would result in short-lived ACME verification challenge codes being leaked in the audit logs.\n - When using the OIDC issuer functionality of the identity subsystem, auth and token response codes along with claims could be leaked in the audit logs.\n\nThird-party plugins may be affected.\n\n### Patches\n\nOpenBao v2.4.2 will patch this issue.\n\n### Workarounds\n\nIf users do not use the above functionality, they are not impacted. ACME verification codes are not usable after verification or challenge expiry so are of limited long-term use.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-62513","reference_id":"","reference_type":"","scores":[{"value":"0.00047","scoring_system":"epss","scoring_elements":"0.14993","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00047","scoring_system":"epss","scoring_elements":"0.14892","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00047","scoring_system":"epss","scoring_elements":"0.14867","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00047","scoring_system":"epss","scoring_elements":"0.14949","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00047","scoring_system":"epss","scoring_elements":"0.1499","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-62513"},{"reference_url":"https://github.com/openbao/openbao","reference_id":"","reference_type":"","scores":[{"value":"5.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openbao/openbao"},{"reference_url":"https://github.com/openbao/openbao/commit/cc2c476bac66e1d94776c2629793daec3af625f8","reference_id":"","reference_type":"","scores":[{"value":"5.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-22T19:39:22Z/"}],"url":"https://github.com/openbao/openbao/commit/cc2c476bac66e1d94776c2629793daec3af625f8"},{"reference_url":"https://github.com/openbao/openbao/security/advisories/GHSA-ghfh-fmx4-26h8","reference_id":"","reference_type":"","scores":[{"value":"5.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-22T19:39:22Z/"}],"url":"https://github.com/openbao/openbao/security/advisories/GHSA-ghfh-fmx4-26h8"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-62513","reference_id":"","reference_type":"","scores":[{"value":"5.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-62513"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/493755?format=json","purl":"pkg:apk/alpine/openbao@2.4.3-r0?arch=x86_64&distroversion=v3.22&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/openbao@2.4.3-r0%3Farch=x86_64&distroversion=v3.22&reponame=community"}],"aliases":["CVE-2025-62513","GHSA-ghfh-fmx4-26h8"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-u8gq-f3c2-qqee"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/openbao@2.4.3-r0%3Farch=x86_64&distroversion=v3.22&reponame=community"}