Описание
OpenBao Userpass and LDAP User Lockout Bypass
Impact
Attackers could bypass the automatic user lockout mechanisms in the OpenBao Userpass or LDAP auth systems. This was caused by different aliasing between pre-flight and full login request user entity alias attributions.
Patches
OpenBao v2.3.2 will patch this issue.
Workarounds
Existing users may apply rate-limiting quotas on the authentication endpoints: https://openbao.org/api-docs/system/rate-limit-quotas/
References
This issue was disclosed to HashiCorp and is the OpenBao equivalent of the following tickets:
Ссылки
- https://github.com/openbao/openbao/security/advisories/GHSA-j3xv-7fxp-gfhx
- https://nvd.nist.gov/vuln/detail/CVE-2025-54998
- https://nvd.nist.gov/vuln/detail/CVE-2025-6004
- https://github.com/openbao/openbao/commit/c52795c1ef746c7f2c510f9225aa8ccbbd44f9fc
- https://discuss.hashicorp.com/t/hcsec-2025-16-vault-userpass-and-ldap-user-lockout-bypass/76035
Пакеты
github.com/openbao/openbao
>= 0.1.0, < 2.3.2
2.3.2
github.com/openbao/openbao
< 0.0.0-20250807212521-c52795c1ef74
0.0.0-20250807212521-c52795c1ef74
Связанные уязвимости
OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 0.1.0 through 2.3.1, attackers could bypass the automatic user lockout mechanisms in the OpenBao Userpass or LDAP auth systems. This was caused by different aliasing between pre-flight and full login request user entity alias attributions. This is fixed in version 2.3.2. To work around this issue, existing users may apply rate-limiting quotas on the authentication endpoints:, see https://openbao.org/api-docs/system/rate-limit-quotas/.
OpenBao exists to provide a software solution to manage, store, and di ...