{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-54996", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-08-04T17:34:24.420Z", "datePublished": "2025-08-09T01:32:09.953Z", "dateUpdated": "2025-08-11T13:53:47.409Z"}, "containers": {"cna": {"title": "OpenBao Root Namespace Operator May Elevate Token Privileges", "problemTypes": [{"descriptions": [{"cweId": "CWE-269", "lang": "en", "description": "CWE-269: Improper Privilege Management", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/openbao/openbao/security/advisories/GHSA-vf84-mxrq-crqc", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/openbao/openbao/security/advisories/GHSA-vf84-mxrq-crqc"}, {"name": "https://github.com/openbao/openbao/pull/1627", "tags": ["x_refsource_MISC"], "url": "https://github.com/openbao/openbao/pull/1627"}, {"name": "https://github.com/openbao/openbao/releases/tag/v2.3.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/openbao/openbao/releases/tag/v2.3.2"}], "affected": [{"vendor": "openbao", "product": "openbao", "versions": [{"version": "< 2.3.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-08-09T01:32:09.953Z"}, "descriptions": [{"lang": "en", "value": "OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 2.3.1 and below, accounts with access to highly-privileged identity entity systems in root namespaces were able to increase their scope directly to the root policy. While the identity system allowed adding arbitrary policies, which in turn could contain capability grants on arbitrary paths, the root policy was restricted to manual generation using unseal or recovery key shares. The global root policy was not accessible from child namespaces. This issue is fixed in version 2.3.2. To workaround this vulnerability, use of denied_parameters in any policy which has access to the affected identity endpoints (on identity entities) may be sufficient to prohibit this type of attack."}], "source": {"advisory": "GHSA-vf84-mxrq-crqc", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-08-11T13:53:29.919832Z", "id": "CVE-2025-54996", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-11T13:53:47.409Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-54996", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-08-11T13:53:29.919832Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-11T13:53:36.375Z"}}], "cna": {"title": "OpenBao Root Namespace Operator May Elevate Token Privileges", "source": {"advisory": "GHSA-vf84-mxrq-crqc", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "openbao", "product": "openbao", "versions": [{"status": "affected", "version": "< 2.3.2"}]}], "references": [{"url": "https://github.com/openbao/openbao/security/advisories/GHSA-vf84-mxrq-crqc", "name": "https://github.com/openbao/openbao/security/advisories/GHSA-vf84-mxrq-crqc", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/openbao/openbao/pull/1627", "name": "https://github.com/openbao/openbao/pull/1627", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/openbao/openbao/releases/tag/v2.3.2", "name": "https://github.com/openbao/openbao/releases/tag/v2.3.2", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 2.3.1 and below, accounts with access to highly-privileged identity entity systems in root namespaces were able to increase their scope directly to the root policy. While the identity system allowed adding arbitrary policies, which in turn could contain capability grants on arbitrary paths, the root policy was restricted to manual generation using unseal or recovery key shares. The global root policy was not accessible from child namespaces. This issue is fixed in version 2.3.2. To workaround this vulnerability, use of denied_parameters in any policy which has access to the affected identity endpoints (on identity entities) may be sufficient to prohibit this type of attack."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-269", "description": "CWE-269: Improper Privilege Management"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-08-09T01:32:09.953Z"}}}, "cveMetadata": {"cveId": "CVE-2025-54996", "state": "PUBLISHED", "dateUpdated": "2025-08-11T13:53:47.409Z", "dateReserved": "2025-08-04T17:34:24.420Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-08-09T01:32:09.953Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openbao:openbao:*:*:*:*:*:*:*:*", "matchCriteriaId": "5572B591-02AC-4B8F-8956-FC9A606D7F32", "versionEndExcluding": "2.3.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 2.3.1 and below, accounts with access to highly-privileged identity entity systems in root namespaces were able to increase their scope directly to the root policy. While the identity system allowed adding arbitrary policies, which in turn could contain capability grants on arbitrary paths, the root policy was restricted to manual generation using unseal or recovery key shares. The global root policy was not accessible from child namespaces. This issue is fixed in version 2.3.2. To workaround this vulnerability, use of denied_parameters in any policy which has access to the affected identity endpoints (on identity entities) may be sufficient to prohibit this type of attack."}, {"lang": "es", "value": "OpenBao existe para proporcionar una soluci\u00f3n de software que permite gestionar, almacenar y distribuir datos confidenciales, como secretos, certificados y claves. En las versiones 2.3.1 y anteriores, las cuentas con acceso a sistemas de entidades de identidad con privilegios elevados en espacios de nombres ra\u00edz pod\u00edan ampliar su alcance directamente a la pol\u00edtica ra\u00edz. Si bien el sistema de identidad permit\u00eda a\u00f1adir pol\u00edticas arbitrarias, que a su vez pod\u00edan contener concesiones de capacidad en rutas arbitrarias, la pol\u00edtica ra\u00edz se limitaba a la generaci\u00f3n manual mediante recursos compartidos de claves de recuperaci\u00f3n o desbloqueo. La pol\u00edtica ra\u00edz global no era accesible desde los espacios de nombres secundarios. Este problema se solucion\u00f3 en la versi\u00f3n 2.3.2. Para solucionar esta vulnerabilidad, el uso de \"denegated_parameters\" en cualquier pol\u00edtica que tenga acceso a los endpoints de identidad afectados (en entidades de identidad) podr\u00eda ser suficiente para impedir este tipo de ataque."}], "id": "CVE-2025-54996", "lastModified": "2025-08-12T20:51:06.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2025-08-09T02:15:37.887", "references": [{"source": "security-advisories@github.com", "tags": ["Issue Tracking"], "url": "https://github.com/openbao/openbao/pull/1627"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/openbao/openbao/releases/tag/v2.3.2"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/openbao/openbao/security/advisories/GHSA-vf84-mxrq-crqc"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-269"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}