data/reports: add 8 reports
- data/reports/GO-2025-3852.yaml
- data/reports/GO-2025-3853.yaml
- data/reports/GO-2025-3854.yaml
- data/reports/GO-2025-3855.yaml
- data/reports/GO-2025-3856.yaml
- data/reports/GO-2025-3857.yaml
- data/reports/GO-2025-3858.yaml
- data/reports/GO-2025-3859.yaml
Fixes golang/vulndb#3852
Fixes golang/vulndb#3853
Fixes golang/vulndb#3854
Fixes golang/vulndb#3855
Fixes golang/vulndb#3856
Fixes golang/vulndb#3857
Fixes golang/vulndb#3858
Fixes golang/vulndb#3859
Change-Id: Iab7bbaaaecf743c277e97af69a54d8f4b1335cae
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/694855
Auto-Submit: Ethan Lee <ethanalee@google.com>
Reviewed-by: Markus Kusano <kusano@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
diff --git a/data/osv/GO-2025-3852.json b/data/osv/GO-2025-3852.json
new file mode 100644
index 0000000..ebf7094
--- /dev/null
+++ b/data/osv/GO-2025-3852.json
@@ -0,0 +1,56 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3852",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-7195",
+ "GHSA-856v-8qm2-9wjv"
+ ],
+ "summary": "operator-sdk: privilege escalation due to incorrect permissions of /etc/passwd in github.com/operator-framework/operator-sdk",
+ "details": "operator-sdk: privilege escalation due to incorrect permissions of /etc/passwd in github.com/operator-framework/operator-sdk",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/operator-framework/operator-sdk",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "0.15.2"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-856v-8qm2-9wjv"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7195"
+ },
+ {
+ "type": "WEB",
+ "url": "https://access.redhat.com/security/cve/CVE-2025-7195"
+ },
+ {
+ "type": "WEB",
+ "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2376300"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3852",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3853.json b/data/osv/GO-2025-3853.json
new file mode 100644
index 0000000..269fd56
--- /dev/null
+++ b/data/osv/GO-2025-3853.json
@@ -0,0 +1,77 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3853",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-55000",
+ "GHSA-f7c3-mhj2-9pvg"
+ ],
+ "summary": "OpenBao TOTP Secrets Engine Code Reuse in github.com/openbao/openbao",
+ "details": "OpenBao TOTP Secrets Engine Code Reuse in github.com/openbao/openbao.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/openbao/openbao before v2.3.2.",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/openbao/openbao",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "0.0.0-20250806193153-183891f8d535"
+ },
+ {
+ "introduced": "0.1.0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {
+ "custom_ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "2.3.2"
+ }
+ ]
+ }
+ ]
+ }
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/openbao/openbao/security/advisories/GHSA-f7c3-mhj2-9pvg"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55000"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/openbao/openbao/commit/183891f8d535d5b6eb3d79fda8200cade6de99e1"
+ },
+ {
+ "type": "WEB",
+ "url": "https://discuss.hashicorp.com/t/hcsec-2025-17-vault-totp-secrets-engine-code-reuse/76036"
+ },
+ {
+ "type": "WEB",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6014"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3853",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3854.json b/data/osv/GO-2025-3854.json
new file mode 100644
index 0000000..49fb11d
--- /dev/null
+++ b/data/osv/GO-2025-3854.json
@@ -0,0 +1,81 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3854",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-54999",
+ "GHSA-hh28-h22f-8357"
+ ],
+ "summary": "OpenBao has a Timing Side-Channel in the Userpass Auth Method in github.com/openbao/openbao",
+ "details": "OpenBao has a Timing Side-Channel in the Userpass Auth Method in github.com/openbao/openbao.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/openbao/openbao before v2.3.2.",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/openbao/openbao",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "0.0.0-20250806193356-4d9b5d3d6486"
+ },
+ {
+ "introduced": "0.1.0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {
+ "custom_ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "2.3.2"
+ }
+ ]
+ }
+ ]
+ }
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/openbao/openbao/security/advisories/GHSA-hh28-h22f-8357"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54999"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/openbao/openbao/commit/4d9b5d3d6486ab9fbd5b644173fa0097015d6626"
+ },
+ {
+ "type": "WEB",
+ "url": "https://discuss.hashicorp.com/t/hcsec-2025-15-timing-side-channel-in-vault-s-userpass-auth-method/76034"
+ },
+ {
+ "type": "WEB",
+ "url": "https://discuss.hashicorp.com/t/hcsec-2025-21-vault-user-enumeration-in-userpass-auth-method/76095"
+ },
+ {
+ "type": "WEB",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6011"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3854",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3855.json b/data/osv/GO-2025-3855.json
new file mode 100644
index 0000000..ec4aa5a
--- /dev/null
+++ b/data/osv/GO-2025-3855.json
@@ -0,0 +1,77 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3855",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-54998",
+ "GHSA-j3xv-7fxp-gfhx"
+ ],
+ "summary": "OpenBao Userpass and LDAP User Lockout Bypass in github.com/openbao/openbao",
+ "details": "OpenBao Userpass and LDAP User Lockout Bypass in github.com/openbao/openbao.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/openbao/openbao before v2.3.2.",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/openbao/openbao",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "0.0.0-20250807212521-c52795c1ef74"
+ },
+ {
+ "introduced": "0.1.0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {
+ "custom_ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "2.3.2"
+ }
+ ]
+ }
+ ]
+ }
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/openbao/openbao/security/advisories/GHSA-j3xv-7fxp-gfhx"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54998"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/openbao/openbao/commit/c52795c1ef746c7f2c510f9225aa8ccbbd44f9fc"
+ },
+ {
+ "type": "WEB",
+ "url": "https://discuss.hashicorp.com/t/hcsec-2025-16-vault-userpass-and-ldap-user-lockout-bypass/76035"
+ },
+ {
+ "type": "WEB",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6004"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3855",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3856.json b/data/osv/GO-2025-3856.json
new file mode 100644
index 0000000..1a3bd5a
--- /dev/null
+++ b/data/osv/GO-2025-3856.json
@@ -0,0 +1,77 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3856",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-55003",
+ "GHSA-rxp7-9q75-vj3p"
+ ],
+ "summary": "OpenBao Login MFA Bypass of Rate Limiting and TOTP Token Reuse in github.com/openbao/openbao",
+ "details": "OpenBao Login MFA Bypass of Rate Limiting and TOTP Token Reuse in github.com/openbao/openbao.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/openbao/openbao before v2.3.2.",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/openbao/openbao",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "0.0.0-20250807113757-8340a6918f6c"
+ },
+ {
+ "introduced": "0.1.0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {
+ "custom_ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "2.3.2"
+ }
+ ]
+ }
+ ]
+ }
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/openbao/openbao/security/advisories/GHSA-rxp7-9q75-vj3p"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55003"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/openbao/openbao/commit/8340a6918f6c41d8f75b6c3845c376d9dc32ed19"
+ },
+ {
+ "type": "WEB",
+ "url": "https://discuss.hashicorp.com/t/hcsec-2025-19-vault-login-mfa-bypass-of-rate-limiting-and-totp-token-reuse/76038"
+ },
+ {
+ "type": "WEB",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6015"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3856",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3857.json b/data/osv/GO-2025-3857.json
new file mode 100644
index 0000000..df81dcd
--- /dev/null
+++ b/data/osv/GO-2025-3857.json
@@ -0,0 +1,85 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3857",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-54996",
+ "GHSA-vf84-mxrq-crqc"
+ ],
+ "summary": "OpenBao Root Namespace Operator May Elevate Token Privileges in github.com/openbao/openbao",
+ "details": "OpenBao Root Namespace Operator May Elevate Token Privileges in github.com/openbao/openbao.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/openbao/openbao before v2.3.2.",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/openbao/openbao",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "0.0.0-20250806193240-9b0b5d4f345f"
+ },
+ {
+ "introduced": "0.1.0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {
+ "custom_ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "2.3.2"
+ }
+ ]
+ }
+ ]
+ }
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/openbao/openbao/security/advisories/GHSA-vf84-mxrq-crqc"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54996"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/cve-2025-5999"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/openbao/openbao/commit/9b0b5d4f345fdfb1065956f042b12cbd86cd6e0f"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/openbao/openbao/pull/1627"
+ },
+ {
+ "type": "WEB",
+ "url": "https://discuss.hashicorp.com/t/hcsec-2025-13-vault-root-namespace-operator-may-elevate-token-privileges/76032"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/openbao/openbao/releases/tag/v2.3.2"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3857",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3858.json b/data/osv/GO-2025-3858.json
new file mode 100644
index 0000000..83e89e4
--- /dev/null
+++ b/data/osv/GO-2025-3858.json
@@ -0,0 +1,85 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3858",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-54997",
+ "GHSA-xp75-r577-cvhp"
+ ],
+ "summary": "Privileged OpenBao Operator May Execute Code on the Underlying Host in github.com/openbao/openbao",
+ "details": "Privileged OpenBao Operator May Execute Code on the Underlying Host in github.com/openbao/openbao.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/openbao/openbao before v2.3.2.",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/openbao/openbao",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "0.0.0-20250806194004-a14053c9679d"
+ },
+ {
+ "introduced": "0.1.0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {
+ "custom_ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "2.3.2"
+ }
+ ]
+ }
+ ]
+ }
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/openbao/openbao/security/advisories/GHSA-xp75-r577-cvhp"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54997"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/openbao/openbao/commit/a14053c9679d6e9cf370f00cf933476cda6d84a2"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/openbao/openbao/pull/1634"
+ },
+ {
+ "type": "WEB",
+ "url": "https://discuss.hashicorp.com/t/hcsec-2025-14-privileged-vault-operator-may-execute-code-on-the-underlying-host/76033"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/openbao/openbao/releases/tag/v2.3.2"
+ },
+ {
+ "type": "WEB",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6000"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3858",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3859.json b/data/osv/GO-2025-3859.json
new file mode 100644
index 0000000..bf1bc6f
--- /dev/null
+++ b/data/osv/GO-2025-3859.json
@@ -0,0 +1,77 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3859",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-55001",
+ "GHSA-2q8q-8fgw-9p6p"
+ ],
+ "summary": "OpenBao LDAP MFA Enforcement Bypass When Using Username As Alias in github.com/openbao/openbao",
+ "details": "OpenBao LDAP MFA Enforcement Bypass When Using Username As Alias in github.com/openbao/openbao.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/openbao/openbao before v2.3.2.",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/openbao/openbao",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "0.0.0-20250807212521-c52795c1ef74"
+ },
+ {
+ "introduced": "0.1.0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {
+ "custom_ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "2.3.2"
+ }
+ ]
+ }
+ ]
+ }
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/openbao/openbao/security/advisories/GHSA-2q8q-8fgw-9p6p"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55001"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/openbao/openbao/commit/c52795c1ef746c7f2c510f9225aa8ccbbd44f9fc"
+ },
+ {
+ "type": "WEB",
+ "url": "https://discuss.hashicorp.com/t/hcsec-2025-20-vault-ldap-mfa-enforcement-bypass-when-using-username-as-alias/76092"
+ },
+ {
+ "type": "WEB",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6013"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3859",
+ "review_status": "UNREVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/reports/GO-2025-3852.yaml b/data/reports/GO-2025-3852.yaml
new file mode 100644
index 0000000..e71d35a
--- /dev/null
+++ b/data/reports/GO-2025-3852.yaml
@@ -0,0 +1,20 @@
+id: GO-2025-3852
+modules:
+ - module: github.com/operator-framework/operator-sdk
+ versions:
+ - fixed: 0.15.2
+ vulnerable_at: 0.15.1
+summary: 'operator-sdk: privilege escalation due to incorrect permissions of /etc/passwd in github.com/operator-framework/operator-sdk'
+cves:
+ - CVE-2025-7195
+ghsas:
+ - GHSA-856v-8qm2-9wjv
+references:
+ - advisory: https://github.com/advisories/GHSA-856v-8qm2-9wjv
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-7195
+ - web: https://access.redhat.com/security/cve/CVE-2025-7195
+ - web: https://bugzilla.redhat.com/show_bug.cgi?id=2376300
+source:
+ id: GHSA-856v-8qm2-9wjv
+ created: 2025-08-11T17:47:55.07967159Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3853.yaml b/data/reports/GO-2025-3853.yaml
new file mode 100644
index 0000000..80db5f6
--- /dev/null
+++ b/data/reports/GO-2025-3853.yaml
@@ -0,0 +1,25 @@
+id: GO-2025-3853
+modules:
+ - module: github.com/openbao/openbao
+ versions:
+ - fixed: 0.0.0-20250806193153-183891f8d535
+ - introduced: 0.1.0
+ non_go_versions:
+ - fixed: 2.3.2
+summary: OpenBao TOTP Secrets Engine Code Reuse in github.com/openbao/openbao
+cves:
+ - CVE-2025-55000
+ghsas:
+ - GHSA-f7c3-mhj2-9pvg
+references:
+ - advisory: https://github.com/openbao/openbao/security/advisories/GHSA-f7c3-mhj2-9pvg
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-55000
+ - fix: https://github.com/openbao/openbao/commit/183891f8d535d5b6eb3d79fda8200cade6de99e1
+ - web: https://discuss.hashicorp.com/t/hcsec-2025-17-vault-totp-secrets-engine-code-reuse/76036
+ - web: https://nvd.nist.gov/vuln/detail/CVE-2025-6014
+notes:
+ - fix: 'github.com/openbao/openbao: could not add vulnerable_at: latest version (0.0.0-20250811154358-5de180a08318) is before last introduced version'
+source:
+ id: GHSA-f7c3-mhj2-9pvg
+ created: 2025-08-11T17:47:50.552468148Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3854.yaml b/data/reports/GO-2025-3854.yaml
new file mode 100644
index 0000000..14267ac
--- /dev/null
+++ b/data/reports/GO-2025-3854.yaml
@@ -0,0 +1,26 @@
+id: GO-2025-3854
+modules:
+ - module: github.com/openbao/openbao
+ versions:
+ - fixed: 0.0.0-20250806193356-4d9b5d3d6486
+ - introduced: 0.1.0
+ non_go_versions:
+ - fixed: 2.3.2
+summary: OpenBao has a Timing Side-Channel in the Userpass Auth Method in github.com/openbao/openbao
+cves:
+ - CVE-2025-54999
+ghsas:
+ - GHSA-hh28-h22f-8357
+references:
+ - advisory: https://github.com/openbao/openbao/security/advisories/GHSA-hh28-h22f-8357
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-54999
+ - fix: https://github.com/openbao/openbao/commit/4d9b5d3d6486ab9fbd5b644173fa0097015d6626
+ - web: https://discuss.hashicorp.com/t/hcsec-2025-15-timing-side-channel-in-vault-s-userpass-auth-method/76034
+ - web: https://discuss.hashicorp.com/t/hcsec-2025-21-vault-user-enumeration-in-userpass-auth-method/76095
+ - web: https://nvd.nist.gov/vuln/detail/CVE-2025-6011
+notes:
+ - fix: 'github.com/openbao/openbao: could not add vulnerable_at: latest version (0.0.0-20250811154358-5de180a08318) is before last introduced version'
+source:
+ id: GHSA-hh28-h22f-8357
+ created: 2025-08-11T17:47:45.322448242Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3855.yaml b/data/reports/GO-2025-3855.yaml
new file mode 100644
index 0000000..1b8c3f9
--- /dev/null
+++ b/data/reports/GO-2025-3855.yaml
@@ -0,0 +1,25 @@
+id: GO-2025-3855
+modules:
+ - module: github.com/openbao/openbao
+ versions:
+ - fixed: 0.0.0-20250807212521-c52795c1ef74
+ - introduced: 0.1.0
+ non_go_versions:
+ - fixed: 2.3.2
+summary: OpenBao Userpass and LDAP User Lockout Bypass in github.com/openbao/openbao
+cves:
+ - CVE-2025-54998
+ghsas:
+ - GHSA-j3xv-7fxp-gfhx
+references:
+ - advisory: https://github.com/openbao/openbao/security/advisories/GHSA-j3xv-7fxp-gfhx
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-54998
+ - fix: https://github.com/openbao/openbao/commit/c52795c1ef746c7f2c510f9225aa8ccbbd44f9fc
+ - web: https://discuss.hashicorp.com/t/hcsec-2025-16-vault-userpass-and-ldap-user-lockout-bypass/76035
+ - web: https://nvd.nist.gov/vuln/detail/CVE-2025-6004
+notes:
+ - fix: 'github.com/openbao/openbao: could not add vulnerable_at: latest version (0.0.0-20250811154358-5de180a08318) is before last introduced version'
+source:
+ id: GHSA-j3xv-7fxp-gfhx
+ created: 2025-08-11T17:47:40.561780898Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3856.yaml b/data/reports/GO-2025-3856.yaml
new file mode 100644
index 0000000..ca09da2
--- /dev/null
+++ b/data/reports/GO-2025-3856.yaml
@@ -0,0 +1,25 @@
+id: GO-2025-3856
+modules:
+ - module: github.com/openbao/openbao
+ versions:
+ - fixed: 0.0.0-20250807113757-8340a6918f6c
+ - introduced: 0.1.0
+ non_go_versions:
+ - fixed: 2.3.2
+summary: OpenBao Login MFA Bypass of Rate Limiting and TOTP Token Reuse in github.com/openbao/openbao
+cves:
+ - CVE-2025-55003
+ghsas:
+ - GHSA-rxp7-9q75-vj3p
+references:
+ - advisory: https://github.com/openbao/openbao/security/advisories/GHSA-rxp7-9q75-vj3p
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-55003
+ - fix: https://github.com/openbao/openbao/commit/8340a6918f6c41d8f75b6c3845c376d9dc32ed19
+ - web: https://discuss.hashicorp.com/t/hcsec-2025-19-vault-login-mfa-bypass-of-rate-limiting-and-totp-token-reuse/76038
+ - web: https://nvd.nist.gov/vuln/detail/CVE-2025-6015
+notes:
+ - fix: 'github.com/openbao/openbao: could not add vulnerable_at: latest version (0.0.0-20250811154358-5de180a08318) is before last introduced version'
+source:
+ id: GHSA-rxp7-9q75-vj3p
+ created: 2025-08-11T17:47:35.965536488Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3857.yaml b/data/reports/GO-2025-3857.yaml
new file mode 100644
index 0000000..ecfce48
--- /dev/null
+++ b/data/reports/GO-2025-3857.yaml
@@ -0,0 +1,27 @@
+id: GO-2025-3857
+modules:
+ - module: github.com/openbao/openbao
+ versions:
+ - fixed: 0.0.0-20250806193240-9b0b5d4f345f
+ - introduced: 0.1.0
+ non_go_versions:
+ - fixed: 2.3.2
+summary: OpenBao Root Namespace Operator May Elevate Token Privileges in github.com/openbao/openbao
+cves:
+ - CVE-2025-54996
+ghsas:
+ - GHSA-vf84-mxrq-crqc
+references:
+ - advisory: https://github.com/openbao/openbao/security/advisories/GHSA-vf84-mxrq-crqc
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-54996
+ - advisory: https://nvd.nist.gov/vuln/detail/cve-2025-5999
+ - fix: https://github.com/openbao/openbao/commit/9b0b5d4f345fdfb1065956f042b12cbd86cd6e0f
+ - fix: https://github.com/openbao/openbao/pull/1627
+ - web: https://discuss.hashicorp.com/t/hcsec-2025-13-vault-root-namespace-operator-may-elevate-token-privileges/76032
+ - web: https://github.com/openbao/openbao/releases/tag/v2.3.2
+notes:
+ - fix: 'github.com/openbao/openbao: could not add vulnerable_at: latest version (0.0.0-20250811154358-5de180a08318) is before last introduced version'
+source:
+ id: GHSA-vf84-mxrq-crqc
+ created: 2025-08-11T17:47:30.585357319Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3858.yaml b/data/reports/GO-2025-3858.yaml
new file mode 100644
index 0000000..2b49a59
--- /dev/null
+++ b/data/reports/GO-2025-3858.yaml
@@ -0,0 +1,27 @@
+id: GO-2025-3858
+modules:
+ - module: github.com/openbao/openbao
+ versions:
+ - fixed: 0.0.0-20250806194004-a14053c9679d
+ - introduced: 0.1.0
+ non_go_versions:
+ - fixed: 2.3.2
+summary: Privileged OpenBao Operator May Execute Code on the Underlying Host in github.com/openbao/openbao
+cves:
+ - CVE-2025-54997
+ghsas:
+ - GHSA-xp75-r577-cvhp
+references:
+ - advisory: https://github.com/openbao/openbao/security/advisories/GHSA-xp75-r577-cvhp
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-54997
+ - fix: https://github.com/openbao/openbao/commit/a14053c9679d6e9cf370f00cf933476cda6d84a2
+ - fix: https://github.com/openbao/openbao/pull/1634
+ - web: https://discuss.hashicorp.com/t/hcsec-2025-14-privileged-vault-operator-may-execute-code-on-the-underlying-host/76033
+ - web: https://github.com/openbao/openbao/releases/tag/v2.3.2
+ - web: https://nvd.nist.gov/vuln/detail/CVE-2025-6000
+notes:
+ - fix: 'github.com/openbao/openbao: could not add vulnerable_at: latest version (0.0.0-20250811154358-5de180a08318) is before last introduced version'
+source:
+ id: GHSA-xp75-r577-cvhp
+ created: 2025-08-11T17:47:24.548515944Z
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2025-3859.yaml b/data/reports/GO-2025-3859.yaml
new file mode 100644
index 0000000..97e0181
--- /dev/null
+++ b/data/reports/GO-2025-3859.yaml
@@ -0,0 +1,25 @@
+id: GO-2025-3859
+modules:
+ - module: github.com/openbao/openbao
+ versions:
+ - fixed: 0.0.0-20250807212521-c52795c1ef74
+ - introduced: 0.1.0
+ non_go_versions:
+ - fixed: 2.3.2
+summary: OpenBao LDAP MFA Enforcement Bypass When Using Username As Alias in github.com/openbao/openbao
+cves:
+ - CVE-2025-55001
+ghsas:
+ - GHSA-2q8q-8fgw-9p6p
+references:
+ - advisory: https://github.com/openbao/openbao/security/advisories/GHSA-2q8q-8fgw-9p6p
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-55001
+ - fix: https://github.com/openbao/openbao/commit/c52795c1ef746c7f2c510f9225aa8ccbbd44f9fc
+ - web: https://discuss.hashicorp.com/t/hcsec-2025-20-vault-ldap-mfa-enforcement-bypass-when-using-username-as-alias/76092
+ - web: https://nvd.nist.gov/vuln/detail/CVE-2025-6013
+notes:
+ - fix: 'github.com/openbao/openbao: could not add vulnerable_at: latest version (0.0.0-20250811154358-5de180a08318) is before last introduced version'
+source:
+ id: GHSA-2q8q-8fgw-9p6p
+ created: 2025-08-11T17:47:18.965594499Z
+review_status: UNREVIEWED