GHSA-2q8q-8fgw-9p6p

Suggest an improvement
Source
https://github.com/advisories/GHSA-2q8q-8fgw-9p6p
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-2q8q-8fgw-9p6p/GHSA-2q8q-8fgw-9p6p.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-2q8q-8fgw-9p6p
Aliases
Published
2025-08-08T15:17:09Z
Modified
2025-08-11T18:42:05.542268Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
Summary
OpenBao LDAP MFA Enforcement Bypass When Using Username As Alias
Details

Impact

OpenBao allows assignment of policies and MFA attribution based upon entity aliases, chosen by the underlying auth method. When using the username_as_alias=true parameter in the LDAP auth method, the caller-supplied username is used verbatim without normalization, allowing an attacker to bypass alias-specific MFA requirements.

Patches

OpenBao v2.3.2 will patch this issue.

Workarounds

LDAP methods are only vulnerable if using username_as_alias=true. Remove all usage of this parameter and update any entity aliases accordingly.

References

This issue was disclosed to HashiCorp and is the OpenBao equivalent of the following tickets:

  • https://discuss.hashicorp.com/t/hcsec-2025-20-vault-ldap-mfa-enforcement-bypass-when-using-username-as-alias/76092
  • https://nvd.nist.gov/vuln/detail/CVE-2025-6013
Database specific 
{
    "nvd_published_at": "2025-08-09T03:15:46Z",
    "cwe_ids": [
        "CWE-156"
    ],
    "github_reviewed_at": "2025-08-08T15:17:09Z",
    "severity": "MODERATE",
    "github_reviewed": true
}
References

Affected packages

Go / github.com/openbao/openbao

Package

Name
github.com/openbao/openbao
View open source insights on deps.dev
Purl
pkg:golang/github.com/openbao/openbao

Affected ranges

Type
SEMVER
Events
Introduced
0.1.0
Fixed
2.3.2

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-2q8q-8fgw-9p6p/GHSA-2q8q-8fgw-9p6p.json"

Go / github.com/openbao/openbao

Package

Name
github.com/openbao/openbao
View open source insights on deps.dev
Purl
pkg:golang/github.com/openbao/openbao

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.0.0-20250807212521-c52795c1ef74

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-2q8q-8fgw-9p6p/GHSA-2q8q-8fgw-9p6p.json"