SCA: security update for github.com/openbao/openbao (GHSA-rxp7-9q75-vj3p)

medium Tenable Cloud Security Plugin ID 437255

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including
secrets, certificates, and keys. In versions 2.3.1 and below, OpenBao's Login Multi-Factor Authentication
(MFA) system allows enforcing MFA using Time-based One Time Password (TOTP). Due to normalization applied
by the underlying TOTP library, codes were accepted which could contain whitespace; this whitespace could
bypass internal rate limiting of the MFA method and allow reuse of existing MFA codes. This issue was
fixed in version 2.3.2. To work around this, use of rate-limiting quotas can limit an attacker's ability
to exploit this: https://openbao.org/api-docs/system/rate-limit-quotas/. (CVE-2025-55003)

See Also

https://github.com/advisories/GHSA-rxp7-9q75-vj3p

Plugin Details

Severity: Medium

ID: 437255

Version: Revision 1.4

Type: Local

Family: SCA Checks

Published: 1/28/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.51

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:N/A:N

CVSS Score Source: CVE-2025-55003

CVSS v3

Risk Factor: Medium

Base Score: 5.7

Temporal Score: 5

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 8/8/2025

Vulnerability Publication Date: 8/8/2025

Reference Information

CVE: CVE-2025-55003

cwe: CWE-307