CVE-2025-55001 | Teknoloji dünyasından en güncel haberleri ve güvenlikle ilgili gelişmeleri takip edin.

OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 2.3.1 and b…
Medium CVSS: 6.5

CVE-2025-55001

OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 2.3.1 and below, OpenBao allowed the assignment of policies and MFA attribution based upon entity aliases, chosen by the underlying auth method. When the username_as_alias=true parameter in the LDAP auth method was in use, the caller-supplied username was used verbatim without normalization, allowing an attacker to bypass alias-specific MFA requirements. This issue was fixed in version 2.3.2. To work around this, remove all usage of the username_as_alias=true parameter and update any entity aliases accordingly.
Vendor
Openbao
Product
Openbao
CWE
CWE-156
Yayın Tarihi
2025-08-09 03:15:46
Güncelleme
2025-08-12 20:44:04
Source Identifier
security-advisories@github.com
KEV Date Added
-

Kategoriler

CWE-156 Openbao MEDIUM Openbao 2025

Referanslar

https://discuss.hashicorp.com/t/hcsec-2025-20-vault-ldap-mfa-enforcement-bypass-when-using-username-as-alias/76092 https://github.com/openbao/openbao/commit/c52795c1ef746c7f2c510f9225aa8ccbbd44f9fc https://github.com/openbao/openbao/security/advisories/GHSA-2q8q-8fgw-9p6p