x/vulndb: potential Go vuln in github.com/openbao/openbao-plugins: GHSA-jp7h-4f3c-9rc7 #4067
Description
Advisory GHSA-jp7h-4f3c-9rc7 references a vulnerability in the following Go modules:
| Module |
|---|
| github.com/openbao/openbao-plugins |
Description:
Impact
This is a cross-account impersonation vulnerability in the auth-aws plugin. The vulnerability allows an IAM role from an untrusted AWS account to authenticate by impersonating a role with the same name in a trusted account, leading to unauthorized access.
This impacts all users of the auth-aws plugin who operate in a multi-account AWS environment where IAM role names may not be unique across accounts.
The core of the vulnerability is a flawed caching mechanism that fails to validate the AWS Account ID during authentication. While the use of wildcards in a `bound_iam_princi...
References:
- ADVISORY: GHSA-jp7h-4f3c-9rc7
- ADVISORY: GHSA-jp7h-4f3c-9rc7
- FIX: openbao/openbao-plugins@2a77af3
No existing reports found with this module or alias.
See doc/quickstart.md for instructions on how to triage this report.
id: GO-ID-PENDING
modules:
- module: github.com/openbao/openbao-plugins
non_go_versions:
- introduced: TODO (earliest fixed "0.1.1", vuln range "<= 0.1.0")
vulnerable_at: 0.0.0-20251023130716-2a77af368347
summary: |-
OpenBao AWS Plugin Vulnerable to Cross-Account IAM Role Impersonation in AWS
Auth Method in github.com/openbao/openbao-plugins
cves:
- CVE-2025-59048
ghsas:
- GHSA-jp7h-4f3c-9rc7
references:
- advisory: https://github.com/advisories/GHSA-jp7h-4f3c-9rc7
- advisory: https://github.com/openbao/openbao-plugins/security/advisories/GHSA-jp7h-4f3c-9rc7
- fix: https://github.com/openbao/openbao-plugins/commit/2a77af36834746ca6d3ac9bd1049154c84b3efae
source:
id: GHSA-jp7h-4f3c-9rc7
created: 2025-10-23T17:01:19.654748121Z
review_status: UNREVIEWED