CVE-2025-62705
EPSS 0.05%OpenBao and Vault Leak []byte Fields in Audit Logs
描述
### Impact OpenBao's audit log did not appropriately redact fields when relevant subsystems sent `[]byte` response parameters rather than `string`s. This includes, but is not limited to: - `sys/raw` with use of `encoding=base64`, all data would be emitted unredacted to the audit log. - Transit, when performing a signing operation with a derived Ed25519 key, would emit public keys to the audit log. Third-party plugins may be affected. This issue has been present since HashiCorp Vault and continues to impact Vault as of v1.20.4. ### Patches OpenBao v2.4.2 will patch this issue. ### Workarounds If users do not use the above functionality, they are not impacted. To prohibit the use of `sys/raw` globally, ensure `raw_storage_endpoint=false` is set or missing from the server configuration.
受影響套件(2)
- Go/github.com/openbao/openbaofrom 0, < 0.0.0-20251022165510-cc2c476bac66
- Go/github.com/openbao/openbaofrom 0, < 0.0.0-20251022165510-cc2c476bac66
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |