Описание
OpenBao has a Timing Side-Channel in the Userpass Auth Method
Impact
When using OpenBao's userpass auth method, user enumeration was possible due to timing difference between non-existent users and users with stored credentials. This is independent of whether the supplied credentials were valid for the given user.
Patches
OpenBao v2.3.2 will patch this issue.
Workarounds
Users may use another auth method or apply rate limiting quotas to limit the number of requests in a period of time: https://openbao.org/api-docs/system/rate-limit-quotas/
References
This issue was disclosed to HashiCorp and is the OpenBao equivalent of the following tickets:
- https://discuss.hashicorp.com/t/hcsec-2025-15-timing-side-channel-in-vault-s-userpass-auth-method/76034
- https://nvd.nist.gov/vuln/detail/CVE-2025-6011
Barring further information, this is also assumed to cover and remediate the following additional vulnerability:
- https://discuss.hashicorp.com/t/hcsec-2025-21-vault-user-enumeration-in-userpass-auth-method/76095
- https://nvd.nist.gov/vuln/detail/CVE-2025-6010
If this is not the case as further details emerge, a new CVE will be assigned for remediating that. Otherwise, no further CVE will be sought.
Ссылки
- https://github.com/openbao/openbao/security/advisories/GHSA-hh28-h22f-8357
- https://nvd.nist.gov/vuln/detail/CVE-2025-54999
- https://nvd.nist.gov/vuln/detail/CVE-2025-6011
- https://github.com/openbao/openbao/commit/4d9b5d3d6486ab9fbd5b644173fa0097015d6626
- https://discuss.hashicorp.com/t/hcsec-2025-15-timing-side-channel-in-vault-s-userpass-auth-method/76034
- https://discuss.hashicorp.com/t/hcsec-2025-21-vault-user-enumeration-in-userpass-auth-method/76095
Пакеты
github.com/openbao/openbao
>= 0.1.0, < 2.3.2
2.3.2
github.com/openbao/openbao
< 0.0.0-20250806193356-4d9b5d3d6486
0.0.0-20250806193356-4d9b5d3d6486
Связанные уязвимости
OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 0.1.0 through 2.3.1, when using OpenBao's userpass auth method, user enumeration was possible due to timing difference between non-existent users and users with stored credentials. This is independent of whether the supplied credentials were valid for the given user. This issue was fixed in version 2.3.2. To work around this issue, users may use another auth method or apply rate limiting quotas to limit the number of requests in a period of time: https://openbao.org/api-docs/system/rate-limit-quotas/.
OpenBao exists to provide a software solution to manage, store, and di ...