x/vulndb: potential Go vuln in github.com/openbao/openbao: GHSA-hh28-h22f-8357

[GoVulnBot]

Advisory GHSA-hh28-h22f-8357 references a vulnerability in the following Go modules:

Module
github.com/openbao/openbao

Description:

Impact

When using OpenBao's userpass auth method, user enumeration was possible due to timing difference between non-existent users and users with stored credentials. This is independent of whether the supplied credentials were valid for the given user.

Patches

OpenBao v2.3.2 will patch this issue.

Workarounds

Users may use another auth method or apply rate limiting quotas to limit the number of requests in a period of time: https://openbao.org/api-docs/system/rate-limit-quotas/

References

This issue was disclosed to HashiCorp and is the OpenBao equivalent of the foll...

References:

• ADVISORY: GHSA-hh28-h22f-8357
• ADVISORY: GHSA-hh28-h22f-8357
• FIX: openbao/openbao@4d9b5d3
• WEB: https://discuss.hashicorp.com/t/hcsec-2025-15-timing-side-channel-in-vault-s-userpass-auth-method/76034
• WEB: https://discuss.hashicorp.com/t/hcsec-2025-21-vault-user-enumeration-in-userpass-auth-method/76095
• WEB: https://nvd.nist.gov/vuln/detail/CVE-2025-6011

No existing reports found with this module or alias.
See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/openbao/openbao
      versions:
        - fixed: 0.0.0-20250806193356-4d9b5d3d6486
        - introduced: 0.1.0
      non_go_versions:
        - fixed: 2.3.2
summary: OpenBao has a Timing Side-Channel in the Userpass Auth Method in github.com/openbao/openbao
cves:
    - CVE-2025-54999
ghsas:
    - GHSA-hh28-h22f-8357
references:
    - advisory: https://github.com/advisories/GHSA-hh28-h22f-8357
    - advisory: https://github.com/openbao/openbao/security/advisories/GHSA-hh28-h22f-8357
    - fix: https://github.com/openbao/openbao/commit/4d9b5d3d6486ab9fbd5b644173fa0097015d6626
    - web: https://discuss.hashicorp.com/t/hcsec-2025-15-timing-side-channel-in-vault-s-userpass-auth-method/76034
    - web: https://discuss.hashicorp.com/t/hcsec-2025-21-vault-user-enumeration-in-userpass-auth-method/76095
    - web: https://nvd.nist.gov/vuln/detail/CVE-2025-6011
notes:
    - fix: 'github.com/openbao/openbao: could not add vulnerable_at: latest version (0.0.0-20250808111916-d645c4300d72) is before last introduced version'
source:
    id: GHSA-hh28-h22f-8357
    created: 2025-08-08T15:01:24.046675343Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/694756 mentions this issue: data/reports: add 20 reports

[gopherbot]

Change https://go.dev/cl/694855 mentions this issue: data/reports: add 8 reports