VYPR

rpm package

opensuse/openbao&distro=openSUSE Tumbleweed

pkg:rpm/opensuse/openbao&distro=openSUSE%20Tumbleweed

Vulnerabilities (31)

  • CVE-2025-6013Aug 6, 2025
    affected < 2.3.2-1.1fixed 2.3.2-1.1

    Vault and Vault Enterprise’s (“Vault”) ldap auth method may not have correctly enforced MFA if username_as_alias was set to true and a user had multiple CNs that are equal but with leading or trailing spaces. Fixed in Vault Community Edition 1.20.2 and Vault Enterprise 1.20.2, 1.

  • CVE-2025-6015Aug 1, 2025
    affected < 2.3.2-1.1fixed 2.3.2-1.1

    Vault and Vault Enterprise’s (“Vault”) login MFA rate limits could be bypassed and TOTP tokens could be reused. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.

  • CVE-2025-6011Aug 1, 2025
    affected < 2.3.2-1.1fixed 2.3.2-1.1

    A timing side channel in Vault and Vault Enterprise’s (“Vault”) userpass auth method allowed an attacker to distinguish between existing and non-existing users, and potentially enumerate valid usernames for Vault’s Userpass auth method. Fixed in Vault Community Edition 1.20.1 and

  • CVE-2025-6004Aug 1, 2025
    affected < 2.3.2-1.1fixed 2.3.2-1.1

    Vault and Vault Enterprise’s (“Vault”) user lockout feature could be bypassed for Userpass and LDAP authentication methods. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.

  • CVE-2025-6014Aug 1, 2025
    affected < 2.3.2-1.1fixed 2.3.2-1.1

    Vault and Vault Enterprise’s (“Vault”) TOTP Secrets Engine code validation endpoint is susceptible to code reuse within its validity period. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.

  • CVE-2025-6000Aug 1, 2025
    affected < 2.3.2-1.1fixed 2.3.2-1.1

    A privileged Vault operator within the root namespace with write permission to {{sys/audit}} may obtain code execution on the underlying host if a plugin directory is set in Vault’s configuration. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.1

  • CVE-2025-5999Aug 1, 2025
    affected < 2.3.2-1.1fixed 2.3.2-1.1

    A privileged Vault operator with write permissions to the root namespace’s identity endpoint could escalate their own or another user’s token privileges to Vault’s root policy. Fixed in Vault Community Edition 1.20.0 and Vault Enterprise 1.20.0, 1.19.6, 1.18.11 and 1.16.22.

  • CVE-2025-52894Jun 25, 2025
    affected < 2.3.1-1.1fixed 2.3.1-1.1

    OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. OpenBao before v2.3.0 allowed an attacker to perform unauthenticated, unaudited cancellation of root rekey and recovery rekey operations, effec

  • CVE-2025-52893Jun 25, 2025
    affected < 2.3.1-1.1fixed 2.3.1-1.1

    OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. OpenBao before v2.3.0 may leak sensitive information in logs when processing malformed data. This is separate from the earlier HCSEC-2025-09 /

  • CVE-2025-4656Jun 25, 2025
    affected < 2.3.1-1.1fixed 2.3.1-1.1

    Vault Community and Vault Enterprise rekey and recovery key operations can lead to a denial of service due to uncontrolled cancellation by a Vault operator. This vulnerability (CVE-2025-4656) has been remediated in Vault Community Edition 1.20.0 and Vault Enterprise 1.20.0, 1.19.

  • CVE-2025-4166May 2, 2025
    affected < 2.2.2-1.1fixed 2.2.2-1.1

    Vault Community and Vault Enterprise Key/Value (kv) Version 2 plugin may unintentionally expose sensitive information in server and audit logs when users submit malformed payloads during secret creation or update operations via the Vault REST API. This vulnerability, identified a

Page 2 of 2