data/reports: review GO-2025-3783
- data/reports/GO-2025-3783.yaml
- No fix version specified as there is published major version for the
fixed v2.3.1 version.
Fixes golang/vulndb#3783
Fixes golang/vulndb#3877
Change-Id: I524805cfdffbc6cc8551d4a406fd620ae5211550
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/697735
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Ethan Lee <ethanalee@google.com>
Reviewed-by: Neal Patel <nealpatel@google.com>
diff --git a/data/osv/GO-2025-3783.json b/data/osv/GO-2025-3783.json
index 0b35c3f..7c77882 100644
--- a/data/osv/GO-2025-3783.json
+++ b/data/osv/GO-2025-3783.json
@@ -7,12 +7,12 @@
"CVE-2025-52894",
"GHSA-prpj-rchp-9j5h"
],
- "summary": "OpenBao allows cancellation of root rekey and recovery rekey operations without authentication in github.com/openbao/openbao/api",
- "details": "OpenBao allows cancellation of root rekey and recovery rekey operations without authentication in github.com/openbao/openbao/api.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: .",
+ "summary": "OpenBao allows cancellation of root rekey and recovery rekey operations without authentication in github.com/openbao/openbao",
+ "details": "OpenBao allows cancellation of root rekey and recovery rekey operations without authentication in github.com/openbao/openbao",
"affected": [
{
"package": {
- "name": "github.com/openbao/openbao/api",
+ "name": "github.com/openbao/openbao",
"ecosystem": "Go"
},
"ranges": [
@@ -26,37 +26,6 @@
}
],
"ecosystem_specific": {}
- },
- {
- "package": {
- "name": "github.com/openbao/openbao/api/v2",
- "ecosystem": "Go"
- },
- "ranges": [
- {
- "type": "SEMVER",
- "events": [
- {
- "introduced": "0"
- },
- {
- "fixed": "2.3.1"
- }
- ]
- }
- ],
- "ecosystem_specific": {
- "custom_ranges": [
- {
- "type": "ECOSYSTEM",
- "events": [
- {
- "introduced": "2.2.2"
- }
- ]
- }
- ]
- }
}
],
"references": [
@@ -65,10 +34,6 @@
"url": "https://github.com/openbao/openbao/security/advisories/GHSA-prpj-rchp-9j5h"
},
{
- "type": "ADVISORY",
- "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52894"
- },
- {
"type": "WEB",
"url": "https://github.com/openbao/openbao/commit/fe75468822a22a88318c6079425357a02ae5b77b"
},
@@ -87,6 +52,6 @@
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2025-3783",
- "review_status": "UNREVIEWED"
+ "review_status": "REVIEWED"
}
}
\ No newline at end of file
diff --git a/data/reports/GO-2025-3783.yaml b/data/reports/GO-2025-3783.yaml
index be2fd67..beb3678 100644
--- a/data/reports/GO-2025-3783.yaml
+++ b/data/reports/GO-2025-3783.yaml
@@ -1,28 +1,22 @@
id: GO-2025-3783
modules:
- - module: github.com/openbao/openbao/api
- vulnerable_at: 1.12.2
- - module: github.com/openbao/openbao/api/v2
- versions:
- - fixed: 2.3.1
- non_go_versions:
- - introduced: 2.2.2
- vulnerable_at: 2.3.0
+ - module: github.com/openbao/openbao
summary: |-
OpenBao allows cancellation of root rekey and recovery rekey operations without
- authentication in github.com/openbao/openbao/api
+ authentication in github.com/openbao/openbao
cves:
- CVE-2025-52894
ghsas:
- GHSA-prpj-rchp-9j5h
references:
- advisory: https://github.com/openbao/openbao/security/advisories/GHSA-prpj-rchp-9j5h
- - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-52894
- web: https://github.com/openbao/openbao/commit/fe75468822a22a88318c6079425357a02ae5b77b
- web: https://github.com/openbao/openbao/releases/tag/v2.3.1
- web: https://openbao.org/docs/deprecation
- web: https://openbao.org/docs/deprecation/unauthed-rekey
+notes:
+ - A fixed version can not be specified without a published major version (v2)
source:
id: GHSA-prpj-rchp-9j5h
created: 2025-07-21T16:58:14.920746363Z
-review_status: UNREVIEWED
+review_status: REVIEWED
