← All images

openbao

12 open findings · 7 with upstream fix available · 3 after VEX (9 suppressed)

Image: ghcr.io/rtvkiz/minimal-openbao:latest  ·  Size: 123 MB  ·  Last rebuilt: 0d ago  ·  Updated: 2026-06-17 21:45 UTC

Author-asserted VEX statements (9)

GO-2025-3858 · not_affected · vulnerable_code_not_present
Fix commit a14053c9679d is an ancestor of the openbao v2.5.4 tag we build from (GitHub compare v2.5.4...a14053c9679d reports 'behind'), so the patched code ships in this image. govulndb records the fix only as a 0.0.0-20250806 pseudo-version because the openbao module path lacks a /v2 suffix, which makes version-range matchers treat every v2.x tag as affected.
GO-2025-3857 · not_affected · vulnerable_code_not_present
Fix commit 9b0b5d4f345f is an ancestor of the openbao v2.5.4 tag we build from (GitHub compare v2.5.4...9b0b5d4f345f reports 'behind'), so the patched code ships in this image. govulndb records the fix only as a 0.0.0-20250806 pseudo-version because the openbao module path lacks a /v2 suffix, which makes version-range matchers treat every v2.x tag as affected.
GO-2025-3859 · not_affected · vulnerable_code_not_present
Fix commit c52795c1ef74 is an ancestor of the openbao v2.5.4 tag we build from (GitHub compare v2.5.4...c52795c1ef74 reports 'behind'), so the patched code ships in this image. govulndb records the fix only as a 0.0.0-20250807 pseudo-version because the openbao module path lacks a /v2 suffix, which makes version-range matchers treat every v2.x tag as affected.
GO-2025-3853 · not_affected · vulnerable_code_not_present
Fix commit 183891f8d535 is an ancestor of the openbao v2.5.4 tag we build from (GitHub compare v2.5.4...183891f8d535 reports 'behind'), so the patched code ships in this image. govulndb records the fix only as a 0.0.0-20250806 pseudo-version because the openbao module path lacks a /v2 suffix, which makes version-range matchers treat every v2.x tag as affected.
GO-2025-3855 · not_affected · vulnerable_code_not_present
Fix commit c52795c1ef74 is an ancestor of the openbao v2.5.4 tag we build from (GitHub compare v2.5.4...c52795c1ef74 reports 'behind'), so the patched code ships in this image. govulndb records the fix only as a 0.0.0-20250807 pseudo-version because the openbao module path lacks a /v2 suffix, which makes version-range matchers treat every v2.x tag as affected.
GO-2025-3856 · not_affected · vulnerable_code_not_present
Fix commit 8340a6918f6c is an ancestor of the openbao v2.5.4 tag we build from (GitHub compare v2.5.4...8340a6918f6c reports 'behind'), so the patched code ships in this image. govulndb records the fix only as a 0.0.0-20250807 pseudo-version because the openbao module path lacks a /v2 suffix, which makes version-range matchers treat every v2.x tag as affected.
GO-2025-3854 · not_affected · vulnerable_code_not_present
Fix commit 4d9b5d3d6486 is an ancestor of the openbao v2.5.4 tag we build from (GitHub compare v2.5.4...4d9b5d3d6486 reports 'behind'), so the patched code ships in this image. govulndb records the fix only as a 0.0.0-20250806 pseudo-version because the openbao module path lacks a /v2 suffix, which makes version-range matchers treat every v2.x tag as affected.
GO-2022-0646 · not_affected · vulnerable_code_not_present
The advisory affects only aws-sdk-go v1's S3 encryption client (service/s3/s3crypto). openbao/openbao contains zero references to s3crypto, and Go links only imported packages into the binary, so the vulnerable code is not present. No fixed aws-sdk-go v1 release exists or is planned (fixed only in aws-sdk-go-v2).
GO-2022-0635 · not_affected · vulnerable_code_not_present
The advisory affects only aws-sdk-go v1's S3 encryption client (service/s3/s3crypto). openbao/openbao contains zero references to s3crypto, and Go links only imported packages into the binary, so the vulnerable code is not present. No fixed aws-sdk-go v1 release exists or is planned (fixed only in aws-sdk-go-v2).
PackageVersionSeverityCVEFixDescriptionVEX
github.com/openbao/openbaov2.5.5CRITICALGO-2025-38580.0.0-20250806194004-a14053c9679dPrivileged OpenBao Operator May Execute Code on the Underlying Host in github.com/openbao/openbao. NOTE: The source advisory for this report contains additionaVEX
github.com/openbao/openbaov2.5.5HIGHGO-2025-4039OpenBao has potential Denial of Service vulnerability when processing malicious unauthenticated JSON requests in github.com/openbao/openbao. NOTE: The source a
github.com/openbao/openbaov2.5.5HIGHGO-2025-3783OpenBao allows cancellation of root rekey and recovery rekey operations without authentication in github.com/openbao/openbao
github.com/openbao/openbaov2.5.5HIGHGO-2025-4156OpenBao is Vulnerable to Privileged Operator Identity Group Root Escalation in github.com/openbao/openbao. NOTE: The source advisory for this report contains a
github.com/openbao/openbaov2.5.5HIGHGO-2025-38570.0.0-20250806193240-9b0b5d4f345fOpenBao Root Namespace Operator May Elevate Token Privileges in github.com/openbao/openbao. NOTE: The source advisory for this report contains additional versiVEX
github.com/aws/aws-sdk-gov1.55.6MEDIUMGO-2022-0646A padding oracle vulnerability exists in the AWS S3 Crypto SDK for GoLang versions prior to V2. The SDK allows users to encrypt files with AES-CBC without compuVEX
github.com/openbao/openbaov2.5.5MEDIUMGO-2025-38590.0.0-20250807212521-c52795c1ef74OpenBao LDAP MFA Enforcement Bypass When Using Username As Alias in github.com/openbao/openbao. NOTE: The source advisory for this report contains additional vVEX
github.com/openbao/openbaov2.5.5MEDIUMGO-2025-38530.0.0-20250806193153-183891f8d535OpenBao TOTP Secrets Engine Code Reuse in github.com/openbao/openbao. NOTE: The source advisory for this report contains additional versions that could not be VEX
github.com/openbao/openbaov2.5.5MEDIUMGO-2025-38550.0.0-20250807212521-c52795c1ef74OpenBao Userpass and LDAP User Lockout Bypass in github.com/openbao/openbao. NOTE: The source advisory for this report contains additional versions that could VEX
github.com/openbao/openbaov2.5.5MEDIUMGO-2025-38560.0.0-20250807113757-8340a6918f6cOpenBao Login MFA Bypass of Rate Limiting and TOTP Token Reuse in github.com/openbao/openbao. NOTE: The source advisory for this report contains additional verVEX
github.com/aws/aws-sdk-gov1.55.6LOWGO-2022-0635A vulnerability in the in-band key negotiation exists in the AWS S3 Crypto SDK for GoLang versions prior to V2. An attacker with write access to the targeted buVEX
github.com/openbao/openbaov2.5.5LOWGO-2025-38540.0.0-20250806193356-4d9b5d3d6486OpenBao has a Timing Side-Channel in the Userpass Auth Method in github.com/openbao/openbao. NOTE: The source advisory for this report contains additional versVEX