121 matches found
Improper Authentication
github.com/openbao/openbao is vulnerable to improper authentication. The vulnerability is due to unexpected normalization in the underlying TOTP library, which allows an attacker to reuse a valid TOTP code multiple times instead of only once...
GO-2025-3853 OpenBao TOTP Secrets Engine Code Reuse in github.com/openbao/openbao
OpenBao TOTP Secrets Engine Code Reuse in github.com/openbao/openbao. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports from vulnerability scanners, please suggest...
GO-2025-3841 Hashicorp Vault's TOTP Secrets Engine Susceptible to Code Reuse in github.com/hashicorp/vault
Hashicorp Vault's TOTP Secrets Engine Susceptible to Code Reuse in github.com/hashicorp/vault...
CVE-2025-55000
OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 0.1.0 through 2.3.1, OpenBao's TOTP secrets engine could accept valid codes multiple times rather than strictly-once. This was caused by unexpected...
CVE-2025-55003
OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 2.3.1 and below, OpenBao's Login Multi-Factor Authentication MFA system allows enforcing MFA using Time-based One Time Password TOTP. Due to...
CVE-2025-55003
OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 2.3.1 and below, OpenBao's Login Multi-Factor Authentication MFA system allows enforcing MFA using Time-based One Time Password TOTP. Due to...
CVE-2025-55000 OpenBao TOTP Secrets Engine Enables Code Reuse
OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 0.1.0 through 2.3.1, OpenBao's TOTP secrets engine could accept valid codes multiple times rather than strictly-once. This was caused by unexpected...
CVE-2025-55000 OpenBao TOTP Secrets Engine Enables Code Reuse
OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 0.1.0 through 2.3.1, OpenBao's TOTP secrets engine could accept valid codes multiple times rather than strictly-once. This was caused by unexpected...
CVE-2025-55000
OpenBao CVE-2025-55000 affects OpenBao 0.1.0–2.3.1. Root cause: unexpected normalization in the underlying TOTP library allows the TOTP secrets engine to accept valid codes more than once. Impact statement in sources notes that TOTP code verification is a privileged action and only trusted system...
OpenBao TOTP Secrets Engine Code Reuse
Impact OpenBao's TOTP secrets engine could accept valid codes multiple times rather than strictly-once. This was caused by unexpected normalization in the underlying TOTP library. Patches OpenBao v2.3.2 will patch this issue. In patching, codes which were not normalized strictly N numeric digits...
GHSA-F7C3-MHJ2-9PVG OpenBao TOTP Secrets Engine Code Reuse
Impact OpenBao's TOTP secrets engine could accept valid codes multiple times rather than strictly-once. This was caused by unexpected normalization in the underlying TOTP library. Patches OpenBao v2.3.2 will patch this issue. In patching, codes which were not normalized strictly N numeric digits...
BIT-VAULT-2025-6014 Vault TOTP Secrets Engine Code Reuse
Vault and Vault Enterprise’s “Vault” TOTP Secrets Engine code validation endpoint is susceptible to code reuse within its validity period. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23...
CVE-2025-6014
A flaw was found in github.com/hashicorp/vault. The Time-based One-Time Password Secrets Engine's TOTP validation endpoint allows code reuse during its validity period, enabling a remote attacker to potentially leverage existing, valid TOTP secrets. This vulnerability allows an attacker to...
Improper Neutralization
Overview github.com/hashicorp/vault/vault is a tool for securely accessing secrets. Affected versions of this package are vulnerable to Improper Neutralization via validateTOTP. An attacker can gain unauthorized access to protected resources by reusing a valid code within its validity period by...
Hashicorp Vault's TOTP Secrets Engine Susceptible to Code Reuse
Vault and Vault Enterprise’s “Vault” TOTP Secrets Engine code validation endpoint is susceptible to code reuse within its validity period. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23...
GHSA-QV3P-FMV3-9HWW Hashicorp Vault's TOTP Secrets Engine Susceptible to Code Reuse
Vault and Vault Enterprise’s “Vault” TOTP Secrets Engine code validation endpoint is susceptible to code reuse within its validity period. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23...
CVE-2025-6014
Vault and Vault Enterprise’s “Vault” TOTP Secrets Engine code validation endpoint is susceptible to code reuse within its validity period. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23...
CVE-2025-6014
Vault and Vault Enterprise’s “Vault” TOTP Secrets Engine code validation endpoint is susceptible to code reuse within its validity period. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23...
CVE-2025-6015 Vault Login MFA Bypass of Rate Limiting and TOTP Code Reuse
Vault and Vault Enterprise’s “Vault” login MFA rate limits could be bypassed and TOTP tokens could be reused. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23...
CVE-2025-6015 Vault Login MFA Bypass of Rate Limiting and TOTP Code Reuse
Vault and Vault Enterprise’s “Vault” login MFA rate limits could be bypassed and TOTP tokens could be reused. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23...