CVE-2025-54999Observable Discrepancy in Openbao Openbao

CWE-203Observable Discrepancy4 documents3 sources
Severity
3.7LOWNVD
EPSS
0.0%
top 91.83%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Github.com Openbao OpenbaoOpenbao
Timeline
PublishedAug 9
Latest updateAug 11

Description

OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 0.1.0 through 2.3.1, when using OpenBao's userpass auth method, user enumeration was possible due to timing difference between non-existent users and users with stored credentials. This is independent of whether the supplied credentials were valid for the given user. This issue was fixed in version 2.3.2. To work around this issue, users may use ano

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 2.2 | Impact: 1.4

Affected Packages3 packages

NVDopenbao/openbao< 2.3.2
Gogithub.com/openbao_openbao0.1.02.3.2+2
CVEListV5openbao/openbao>= 0.1.0, < 2.3.2

Patches

Patch: github.com

🔴Vulnerability Details

3
OSV
OpenBao has a Timing Side-Channel in the Userpass Auth Method in github.com/openbao/openbao2025-08-11
GHSA
OpenBao has a Timing Side-Channel in the Userpass Auth Method2025-08-08
OSV
OpenBao has a Timing Side-Channel in the Userpass Auth Method2025-08-08