Skip to main content

Ubuntu CVE-2025-52893

| EUVDEUVD-2025-19112 MEDIUM
Insertion of Sensitive Information into Log File (CWE-532)
2025-06-25 security-advisories@github.com GHSA-8f5r-8cmq-7fmq
4.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.5 MEDIUM
AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N
Ubuntu
MEDIUM
qualitative
SUSE
MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
EUVD ID Assigned
Mar 15, 2026 - 23:19 euvd
EUVD-2025-19112
Analysis Generated
Mar 15, 2026 - 23:19 vuln.today
Patch released
Mar 15, 2026 - 23:19 nvd
Patch available
CVE Published
Jun 25, 2025 - 17:15 nvd
MEDIUM 4.5

DescriptionGitHub Advisory

OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. OpenBao before v2.3.0 may leak sensitive information in logs when processing malformed data. This is separate from the earlier HCSEC-2025-09 / CVE-2025-4166. This issue has been fixed in OpenBao v2.3.0 and later. Like with HCSEC-2025-09, there is no known workaround except to ensure properly formatted requests from all clients.

Analysis

OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. OpenBao before v2.3.0 may leak sensitive information in logs when processing malformed data. This is separate from the earlier HCSEC-2025-09 / CVE-2025-4166. This issue has been fixed in OpenBao v2.3.0 and later. Like with HCSEC-2025-09, there is no known workaround except to ensure properly formatted requests from all clients.

Technical ContextAI

Information disclosure occurs when an application inadvertently reveals sensitive data to unauthorized actors through error messages, logs, or improper access controls. This vulnerability is classified as Insertion of Sensitive Information into Log File (CWE-532).

RemediationAI

A vendor patch is available — apply it immediately. Implement proper access controls. Sanitize error messages in production. Review logging practices to avoid capturing sensitive data.

CVE-2024-2048 CRITICAL
9.8 Mar 04

Vault and Vault Enterprise (“Vault”) TLS certificate auth method did not correctly validate client certificates when con

CVE-2025-54997 CRITICAL
9.1 Aug 09

OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certifi

CVE-2024-7594 HIGH
8.8 Sep 26

Vault’s SSH secrets engine did not require the valid_principals list to contain a value by default. Rated high severity

CVE-2025-52894 HIGH
7.5 Jun 25

OpenBao versions before 2.3.0 contain an unauthenticated denial-of-service vulnerability in the root rekey and recovery

CVE-2025-64761 HIGH
7.5 Nov 25

OpenBao is an open source identity-based secrets management system. Rated high severity (CVSS 7.5), this vulnerability i

CVE-2024-8185 HIGH
7.5 Oct 31

Vault Community and Vault Enterprise (“Vault”) clusters using Vault’s Integrated Storage backend are vulnerable to a den

CVE-2024-9180 HIGH
7.2 Oct 10

A privileged Vault operator with write permissions to the root namespace’s identity endpoint could escalate their own or

CVE-2025-54998 MEDIUM
5.3 Aug 09

OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certifi

CVE-2025-4166 MEDIUM
4.5 May 02

Vault Community and Vault Enterprise Key/Value (kv) Version 2 plugin may unintentionally expose sensitive information in

CVE-2026-39396 LOW
3.1 Apr 21

Disk exhaustion via decompression bomb in OpenBao's OCI plugin downloader allows network attackers to exhaust victim dis

CVE-2026-40264 LOW
2.0 Apr 21

OpenBao versions prior to 2.5.3 allow high-privileged administrators in one tenant to revoke or renew authentication tok

CVE-2025-55003 MEDIUM
5.7 Aug 09

OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certifi

Vendor StatusVendor

Ubuntu

Priority: Medium
golang-github-go-viper-mapstructure
Release Status Version
jammy DNE -
noble DNE -
oracular DNE -
upstream needs-triage -
questing needs-triage -
plucky ignored end of life, was needs-triage

Debian

Bug #1069794
openbao
Release Status Fixed Version Urgency
open - -

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Server 16.0 Fixed
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Server 16.0 Fixed
SUSE Linux Enterprise Server 16.1 Fixed
SUSE Linux Enterprise Server for SAP applications 16.0 Fixed

Share

CVE-2025-52893 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy