216.73.217.64

CVE-2025-54999

· Published 09/08/2025 03:15 · Modified 09/08/2025 03:15

Labels: CVE-2025-54999 2025-08-09CVE-2025-54999CWE-203[email protected]

Essential information

Published
09/08/2025 03:15
Modified
09/08/2025 03:15
Author
Creator
CVSS
3.7 LOW (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS metrics

Description

OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 0.1.0 through 2.3.1, when using OpenBao's userpass auth method, user enumeration was possible due to timing difference between non-existent users and users with stored credentials. This is independent of whether the supplied credentials were valid for the given user. This issue was fixed in version 2.3.2. To work around this issue, users may use another auth method or apply rate limiting quotas to limit the number of requests in a period of time: https://openbao.org/api-docs/system/rate-limit-quotas/.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
openbao / openbao cpe:2.3:a:openbao:openbao:0.1.0-2.3.1:*:*:*:*:*:*:*

References