{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-54997", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-08-04T17:34:24.420Z", "datePublished": "2025-08-09T01:56:45.634Z", "dateUpdated": "2025-08-11T13:56:43.049Z"}, "containers": {"cna": {"title": "OpenBao: Privileged Operator May Execute Code on the Underlying Host", "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "lang": "en", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/openbao/openbao/security/advisories/GHSA-xp75-r577-cvhp", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/openbao/openbao/security/advisories/GHSA-xp75-r577-cvhp"}, {"name": "https://github.com/openbao/openbao/pull/1634", "tags": ["x_refsource_MISC"], "url": "https://github.com/openbao/openbao/pull/1634"}, {"name": "https://discuss.hashicorp.com/t/hcsec-2025-14-privileged-vault-operator-may-execute-code-on-the-underlying-host/76033", "tags": ["x_refsource_MISC"], "url": "https://discuss.hashicorp.com/t/hcsec-2025-14-privileged-vault-operator-may-execute-code-on-the-underlying-host/76033"}, {"name": "https://github.com/openbao/openbao/releases/tag/v2.3.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/openbao/openbao/releases/tag/v2.3.2"}], "affected": [{"vendor": "openbao", "product": "openbao", "versions": [{"version": "< 2.3.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-08-09T01:56:45.634Z"}, "descriptions": [{"lang": "en", "value": "OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 2.3.1 and below, some OpenBao deployments intentionally limit privileged API operators from executing system code or making network connections. However, these operators can bypass both restrictions through the audit subsystem by manipulating log prefixes. This allows unauthorized code execution and network access that violates the intended security model. This issue is fixed in version 2.3.2. To workaround, users can block access to sys/audit/* endpoints using explicit deny policies, but root operators cannot be restricted this way."}], "source": {"advisory": "GHSA-xp75-r577-cvhp", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-08-11T13:56:31.277605Z", "id": "CVE-2025-54997", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-11T13:56:43.049Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-54997", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-08-11T13:56:31.277605Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-11T13:56:35.007Z"}}], "cna": {"title": "OpenBao: Privileged Operator May Execute Code on the Underlying Host", "source": {"advisory": "GHSA-xp75-r577-cvhp", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "openbao", "product": "openbao", "versions": [{"status": "affected", "version": "< 2.3.2"}]}], "references": [{"url": "https://github.com/openbao/openbao/security/advisories/GHSA-xp75-r577-cvhp", "name": "https://github.com/openbao/openbao/security/advisories/GHSA-xp75-r577-cvhp", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/openbao/openbao/pull/1634", "name": "https://github.com/openbao/openbao/pull/1634", "tags": ["x_refsource_MISC"]}, {"url": "https://discuss.hashicorp.com/t/hcsec-2025-14-privileged-vault-operator-may-execute-code-on-the-underlying-host/76033", "name": "https://discuss.hashicorp.com/t/hcsec-2025-14-privileged-vault-operator-may-execute-code-on-the-underlying-host/76033", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/openbao/openbao/releases/tag/v2.3.2", "name": "https://github.com/openbao/openbao/releases/tag/v2.3.2", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 2.3.1 and below, some OpenBao deployments intentionally limit privileged API operators from executing system code or making network connections. However, these operators can bypass both restrictions through the audit subsystem by manipulating log prefixes. This allows unauthorized code execution and network access that violates the intended security model. This issue is fixed in version 2.3.2. To workaround, users can block access to sys/audit/* endpoints using explicit deny policies, but root operators cannot be restricted this way."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-08-09T01:56:45.634Z"}}}, "cveMetadata": {"cveId": "CVE-2025-54997", "state": "PUBLISHED", "dateUpdated": "2025-08-11T13:56:43.049Z", "dateReserved": "2025-08-04T17:34:24.420Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-08-09T01:56:45.634Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openbao:openbao:*:*:*:*:*:*:*:*", "matchCriteriaId": "5572B591-02AC-4B8F-8956-FC9A606D7F32", "versionEndExcluding": "2.3.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 2.3.1 and below, some OpenBao deployments intentionally limit privileged API operators from executing system code or making network connections. However, these operators can bypass both restrictions through the audit subsystem by manipulating log prefixes. This allows unauthorized code execution and network access that violates the intended security model. This issue is fixed in version 2.3.2. To workaround, users can block access to sys/audit/* endpoints using explicit deny policies, but root operators cannot be restricted this way."}, {"lang": "es", "value": "OpenBao existe para proporcionar una soluci\u00f3n de software que permite gestionar, almacenar y distribuir datos confidenciales, como secretos, certificados y claves. En las versiones 2.3.1 y anteriores, algunas implementaciones de OpenBao limitan intencionalmente la ejecuci\u00f3n de c\u00f3digo del sistema o el establecimiento de conexiones de red por parte de operadores de API privilegiados. Sin embargo, estos operadores pueden eludir ambas restricciones a trav\u00e9s del subsistema de auditor\u00eda manipulando los prefijos de registro. Esto permite la ejecuci\u00f3n de c\u00f3digo no autorizado y el acceso a la red que infringe el modelo de seguridad previsto. Este problema se solucion\u00f3 en la versi\u00f3n 2.3.2. Como soluci\u00f3n alternativa, los usuarios pueden bloquear el acceso a los endpoints sys/audit/* mediante pol\u00edticas de denegaci\u00f3n expl\u00edcitas, pero los operadores ra\u00edz no pueden restringirse de esta forma."}], "id": "CVE-2025-54997", "lastModified": "2025-08-13T18:23:12.113", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2025-08-09T03:15:46.263", "references": [{"source": "security-advisories@github.com", "tags": ["Not Applicable"], "url": "https://discuss.hashicorp.com/t/hcsec-2025-14-privileged-vault-operator-may-execute-code-on-the-underlying-host/76033"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking"], "url": "https://github.com/openbao/openbao/pull/1634"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/openbao/openbao/releases/tag/v2.3.2"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/openbao/openbao/security/advisories/GHSA-xp75-r577-cvhp"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}