Alpine: multiple openbao packages: security update to 2.3.2-r0

low Tenable Self-Hosted Container Security Plugin ID 435758

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including
secrets, certificates, and keys. In versions 0.1.0 through 2.3.1, when using OpenBao's userpass auth
method, user enumeration was possible due to timing difference between non-existent users and users with
stored credentials. This is independent of whether the supplied credentials were valid for the given user.
This issue was fixed in version 2.3.2. To work around this issue, users may use another auth method or
apply rate limiting quotas to limit the number of requests in a period of time: https://openbao.org/api-
docs/system/rate-limit-quotas/. (CVE-2025-54999)

- OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including
secrets, certificates, and keys. In versions 2.3.1 and below, accounts with access to highly-privileged
identity entity systems in root namespaces were able to increase their scope directly to the root policy.
While the identity system allowed adding arbitrary policies, which in turn could contain capability grants
on arbitrary paths, the root policy was restricted to manual generation using unseal or recovery key
shares. The global root policy was not accessible from child namespaces. This issue is fixed in version
2.3.2. To workaround this vulnerability, use of denied_parameters in any policy which has access to the
affected identity endpoints (on identity entities) may be sufficient to prohibit this type of attack.
(CVE-2025-54996)

- OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including
secrets, certificates, and keys. In versions 2.3.1 and below, some OpenBao deployments intentionally limit
privileged API operators from executing system code or making network connections. However, these
operators can bypass both restrictions through the audit subsystem by manipulating log prefixes. This
allows unauthorized code execution and network access that violates the intended security model. This
issue is fixed in version 2.3.2. To workaround, users can block access to sys/audit/* endpoints using
explicit deny policies, but root operators cannot be restricted this way. (CVE-2025-54997)

- OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including
secrets, certificates, and keys. In versions 0.1.0 through 2.3.1, attackers could bypass the automatic
user lockout mechanisms in the OpenBao Userpass or LDAP auth systems. This was caused by different
aliasing between pre-flight and full login request user entity alias attributions. This is fixed in
version 2.3.2. To work around this issue, existing users may apply rate-limiting quotas on the
authentication endpoints:, see https://openbao.org/api-docs/system/rate-limit-quotas/. (CVE-2025-54998)

See Also

https://security.alpinelinux.org/vuln/CVE-2025-54996

https://security.alpinelinux.org/vuln/CVE-2025-54997

https://security.alpinelinux.org/vuln/CVE-2025-54998

https://security.alpinelinux.org/vuln/CVE-2025-54999

https://security.alpinelinux.org/vuln/CVE-2025-55000

https://security.alpinelinux.org/vuln/CVE-2025-55003

Plugin Details

Severity: Low

ID: 435758

Version: Revision 1.9

Type: Local

Published: 10/23/2025

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 5

Percentile: 94.66

CVSS v2

Risk Factor: Low

Base Score: 2.6

Temporal Score: 1.9

Vector: CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N

CVSS Score Source: CVE-2025-54999

CVSS v3

Risk Factor: Low

Base Score: 3.7

Temporal Score: 3.2

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 8/8/2025

Reference Information

CVE: CVE-2025-54996, CVE-2025-54997, CVE-2025-54998, CVE-2025-54999, CVE-2025-55000, CVE-2025-55003