CVE-2025-54997 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2025-54997 Interim 1 5 2026-03-05T00:30:19Z current 2025-08-13T23:14:53Z 2026-03-05T00:30:19Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2025-54997 OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 2.3.1 and below, some OpenBao deployments intentionally limit privileged API operators from executing system code or making network connections. However, these operators can bypass both restrictions through the audit subsystem by manipulating log prefixes. This allows unauthorized code execution and network access that violates the intended security model. This issue is fixed in version 2.3.2. To workaround, users can block access to sys/audit/* endpoints using explicit deny policies, but root operators cannot be restricted this way. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://lists.suse.com/pipermail/sle-updates/2025-August/041294.html E-Mail link for SUSE-SU-2025:02912-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings Container suse/sl-micro/6.0/base-os-container:latest Container suse/sl-micro/6.0/toolbox:latest Image SL-Micro Image SLE-Micro Image SLE-Micro-Azure Image SLE-Micro-BYOS Image SLE-Micro-BYOS-Azure Image SLE-Micro-BYOS-EC2 Image SLE-Micro-BYOS-GCE Image SLE-Micro-EC2 Image SLE-Micro-GCE SUSE Linux Enterprise Server 16.0 openSUSE Tumbleweed ca-certificates-mozilla-2.84-slfo.1.1_1.1 govulncheck-vulndb-0.0.20250811T192933-1.1 govulncheck-vulndb-0.0.20250814T182633-160000.1.2 shim-15.8-1.1 ca-certificates-mozilla-2.84-slfo.1.1_1.1 as a component of Container suse/sl-micro/6.0/base-os-container:latest shim-15.8-1.1 as a component of Container suse/sl-micro/6.0/base-os-container:latest ca-certificates-mozilla-2.84-slfo.1.1_1.1 as a component of Container suse/sl-micro/6.0/toolbox:latest ca-certificates-mozilla-2.84-slfo.1.1_1.1 as a component of Image SL-Micro shim-15.8-1.1 as a component of Image SL-Micro ca-certificates-mozilla-2.84-slfo.1.1_1.1 as a component of Image SLE-Micro shim-15.8-1.1 as a component of Image SLE-Micro shim-15.8-1.1 as a component of Image SLE-Micro-Azure shim-15.8-1.1 as a component of Image SLE-Micro-BYOS shim-15.8-1.1 as a component of Image SLE-Micro-BYOS-Azure shim-15.8-1.1 as a component of Image SLE-Micro-BYOS-EC2 shim-15.8-1.1 as a component of Image SLE-Micro-BYOS-GCE ca-certificates-mozilla-2.84-slfo.1.1_1.1 as a component of Image SLE-Micro-EC2 shim-15.8-1.1 as a component of Image SLE-Micro-EC2 shim-15.8-1.1 as a component of Image SLE-Micro-GCE govulncheck-vulndb-0.0.20250814T182633-160000.1.2 as a component of SUSE Linux Enterprise Server 16.0 govulncheck-vulndb-0.0.20250811T192933-1.1 as a component of openSUSE Tumbleweed OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 2.3.1 and below, some OpenBao deployments intentionally limit privileged API operators from executing system code or making network connections. However, these operators can bypass both restrictions through the audit subsystem by manipulating log prefixes. This allows unauthorized code execution and network access that violates the intended security model. This issue is fixed in version 2.3.2. To workaround, users can block access to sys/audit/* endpoints using explicit deny policies, but root operators cannot be restricted this way. CVE-2025-54997 Container suse/sl-micro/6.0/base-os-container:latest:ca-certificates-mozilla-2.84-slfo.1.1_1.1 Container suse/sl-micro/6.0/base-os-container:latest:shim-15.8-1.1 Container suse/sl-micro/6.0/toolbox:latest:ca-certificates-mozilla-2.84-slfo.1.1_1.1 Image SL-Micro:ca-certificates-mozilla-2.84-slfo.1.1_1.1 Image SL-Micro:shim-15.8-1.1 Image SLE-Micro:ca-certificates-mozilla-2.84-slfo.1.1_1.1 Image SLE-Micro:shim-15.8-1.1 Image SLE-Micro-Azure:shim-15.8-1.1 Image SLE-Micro-BYOS:shim-15.8-1.1 Image SLE-Micro-BYOS-Azure:shim-15.8-1.1 Image SLE-Micro-BYOS-EC2:shim-15.8-1.1 Image SLE-Micro-BYOS-GCE:shim-15.8-1.1 Image SLE-Micro-EC2:ca-certificates-mozilla-2.84-slfo.1.1_1.1 Image SLE-Micro-EC2:shim-15.8-1.1 Image SLE-Micro-GCE:shim-15.8-1.1 SUSE Linux Enterprise Server 16.0:govulncheck-vulndb-0.0.20250814T182633-160000.1.2 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1 critical