{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-11T18:21:55.685","vulnerabilities":[{"cve":{"id":"CVE-2025-54999","sourceIdentifier":"security-advisories@github.com","published":"2025-08-09T03:15:46.597","lastModified":"2025-11-13T17:54:56.290","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 0.1.0 through 2.3.1, when using OpenBao's userpass auth method, user enumeration was possible due to timing difference between non-existent users and users with stored credentials. This is independent of whether the supplied credentials were valid for the given user. This issue was fixed in version 2.3.2. To work around this issue, users may use another auth method or apply rate limiting quotas to limit the number of requests in a period of time: https://openbao.org/api-docs/system/rate-limit-quotas/."},{"lang":"es","value":"OpenBao existe para proporcionar una solución de software que permite gestionar, almacenar y distribuir datos confidenciales, como secretos, certificados y claves. En las versiones 0.1.0 a 2.3.1, al usar el método de autenticación userpass de OpenBao, la enumeración de usuarios era posible debido a la diferencia de tiempo entre usuarios inexistentes y usuarios con credenciales almacenadas. Esto es independiente de si las credenciales proporcionadas eran válidas para el usuario en cuestión. Este problema se solucionó en la versión 2.3.2. Para solucionar este problema, los usuarios pueden usar otro método de autenticación o aplicar cuotas de limitación de velocidad para limitar el número de solicitudes en un período determinado: https://openbao.org/api-docs/system/rate-limit-quotas/."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N","baseScore":3.7,"baseSeverity":"LOW","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.2,"impactScore":1.4},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N","baseScore":3.7,"baseSeverity":"LOW","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.2,"impactScore":1.4}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-203"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:openbao:openbao:*:*:*:*:*:*:*:*","versionEndExcluding":"2.3.2","matchCriteriaId":"5572B591-02AC-4B8F-8956-FC9A606D7F32"}]}]}],"references":[{"url":"https://discuss.hashicorp.com/t/hcsec-2025-15-timing-side-channel-in-vault-s-userpass-auth-method/76034","source":"security-advisories@github.com","tags":["Not Applicable"]},{"url":"https://discuss.hashicorp.com/t/hcsec-2025-21-vault-user-enumeration-in-userpass-auth-method/76095","source":"security-advisories@github.com","tags":["Not Applicable"]},{"url":"https://github.com/openbao/openbao/commit/4d9b5d3d6486ab9fbd5b644173fa0097015d6626","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/openbao/openbao/security/advisories/GHSA-hh28-h22f-8357","source":"security-advisories@github.com","tags":["Vendor Advisory"]}]}}]}