Description
There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:
- OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including
secrets, certificates, and keys. In versions 0.1.0 through 2.3.1, when using OpenBao's userpass auth
method, user enumeration was possible due to timing difference between non-existent users and users with
stored credentials. This is independent of whether the supplied credentials were valid for the given user.
This issue was fixed in version 2.3.2. To work around this issue, users may use another auth method or
apply rate limiting quotas to limit the number of requests in a period of time: https://openbao.org/api-
docs/system/rate-limit-quotas/. (CVE-2025-54999)
- OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including
secrets, certificates, and keys. In versions 2.3.1 and below, accounts with access to highly-privileged
identity entity systems in root namespaces were able to increase their scope directly to the root policy.
While the identity system allowed adding arbitrary policies, which in turn could contain capability grants
on arbitrary paths, the root policy was restricted to manual generation using unseal or recovery key
shares. The global root policy was not accessible from child namespaces. This issue is fixed in version
2.3.2. To workaround this vulnerability, use of denied_parameters in any policy which has access to the
affected identity endpoints (on identity entities) may be sufficient to prohibit this type of attack.
(CVE-2025-54996)
- OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including
secrets, certificates, and keys. In versions 2.3.1 and below, some OpenBao deployments intentionally limit
privileged API operators from executing system code or making network connections. However, these
operators can bypass both restrictions through the audit subsystem by manipulating log prefixes. This
allows unauthorized code execution and network access that violates the intended security model. This
issue is fixed in version 2.3.2. To workaround, users can block access to sys/audit/* endpoints using
explicit deny policies, but root operators cannot be restricted this way. (CVE-2025-54997)
- OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including
secrets, certificates, and keys. In versions 0.1.0 through 2.3.1, attackers could bypass the automatic
user lockout mechanisms in the OpenBao Userpass or LDAP auth systems. This was caused by different
aliasing between pre-flight and full login request user entity alias attributions. This is fixed in
version 2.3.2. To work around this issue, existing users may apply rate-limiting quotas on the
authentication endpoints:, see https://openbao.org/api-docs/system/rate-limit-quotas/. (CVE-2025-54998)
Plugin Details
Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security
Risk Information
Vector: CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C
Vulnerability Information
Exploit Ease: No known exploits are available
Vulnerability Publication Date: 8/8/2025