GHSA-7FF4-JW48-3436
Vulnerability from github – Published: 2025-11-24 21:51 – Updated: 2025-11-27 07:58
VLAI?
Summary
OpenBao is Vulnerable to Privileged Operator Identity Group Root Escalation
Details
Impact
Similar to HCSEC-2025-13 / CVE-2025-5999, a privileged operator could use the identity group subsystem to add a root policy to a group identity group, escalating their or another user's permissions in the system. Specifically this is an issue when:
- An operator in the root namespace has access to
identity/groupsendpoints. - An operator does not have policy access.
Otherwise, an operator with policy access could create or modify an existing policy to grant root-equivalent permissions through the sudo capability.
Patches
Patched in version 2.4.4.
Workarounds
Users should audit the use of identity subsystem and deny operators access if it is not in use.
Severity ?
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/openbao/openbao"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.4.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-64761"
],
"database_specific": {
"cwe_ids": [
"CWE-266",
"CWE-269"
],
"github_reviewed": true,
"github_reviewed_at": "2025-11-24T21:51:18Z",
"nvd_published_at": "2025-11-25T01:15:46Z",
"severity": "HIGH"
},
"details": "### Impact\n\nSimilar to HCSEC-2025-13 / CVE-2025-5999, a privileged operator could use the identity group subsystem to add a root policy to a group identity group, escalating their or another user\u0027s permissions in the system. Specifically this is an issue when:\n\n1. An operator in the root namespace has access to `identity/groups` endpoints.\n2. An operator does not have policy access.\n\nOtherwise, an operator with policy access could create or modify an existing policy to grant root-equivalent permissions through the `sudo` capability.\n\n### Patches\n\nPatched in version 2.4.4. \n\n### Workarounds\n\nUsers should audit the use of identity subsystem and deny operators access if it is not in use.",
"id": "GHSA-7ff4-jw48-3436",
"modified": "2025-11-27T07:58:33Z",
"published": "2025-11-24T21:51:18Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openbao/openbao/security/advisories/GHSA-7ff4-jw48-3436"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64761"
},
{
"type": "WEB",
"url": "https://github.com/openbao/openbao/pull/2143"
},
{
"type": "WEB",
"url": "https://github.com/openbao/openbao/commit/16bb0ccd37a502930a289d434cbe4e7b4edd66e5"
},
{
"type": "WEB",
"url": "https://github.com/openbao/openbao/commit/747a1378c2756f86296ad9450f74f6faeecc2eb7"
},
{
"type": "PACKAGE",
"url": "https://github.com/openbao/openbao"
},
{
"type": "WEB",
"url": "https://github.com/openbao/openbao/releases/tag/v2.4.4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenBao is Vulnerable to Privileged Operator Identity Group Root Escalation"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…