CVE-2025-59048
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-23

Last updated on: 2025-12-05

Assigner: GitHub, Inc.

Description
OpenBao's AWS Plugin generates AWS access credentials based on IAM policies. Prior to version 0.1.1, the AWS Plugin is vulnerable to cross-account IAM role Impersonation in the AWS auth method. The vulnerability allows an IAM role from an untrusted AWS account to authenticate by impersonating a role with the same name in a trusted account, leading to unauthorized access. This impacts all users of the auth-aws plugin who operate in a multi-account AWS environment where IAM role names may not be unique across accounts. This vulnerability has been patched in version 0.1.1 of the auth-aws plugin. A workaround for this issue involves guaranteeing that IAM role names are unique across all AWS accounts that could potentially interact with your OpenBao environment, and to audit for any duplicate IAM roles.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-23
Last Modified
2025-12-05
Generated
2026-05-07
AI Q&A
2025-10-23
EPSS Evaluated
2026-05-05
NVD
CVE-2025-59048
EUVD
EUVD-2025-35697
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openbao aws_plugin to 0.1.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
CWE-694 The product uses multiple resources that can have the same identifier, in a context in which unique identifiers are required.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a cross-account IAM role impersonation issue in the OpenBao auth-aws plugin (versions prior to 0.1.1). It occurs because the plugin's caching mechanism does not properly validate the AWS Account ID during authentication. As a result, an IAM role from an untrusted AWS account can impersonate a role with the same name in a trusted account, gaining unauthorized access. This mainly affects environments where IAM role names are not unique across multiple AWS accounts. [2]


How can this vulnerability impact me? :

The vulnerability can lead to unauthorized access by allowing an attacker to impersonate IAM roles across AWS accounts. This can result in exposure of secrets, data exfiltration, and privilege escalation within your AWS environment. It poses a high risk to confidentiality and integrity of your data and systems. [2]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by auditing your AWS environment for duplicate IAM role names across multiple AWS accounts that interact with your OpenBao environment. Specifically, you should check for IAM roles with the same name in different accounts, as this is a prerequisite for exploitation. While no specific commands are provided, you can use AWS CLI commands such as 'aws iam list-roles' in each account and compare role names to identify duplicates. Additionally, reviewing the bound_iam_principal_arn configuration for wildcards may help identify increased attack surface. [2]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include upgrading the auth-aws plugin to version 0.1.1 or later, where the vulnerability is patched. If upgrading is not immediately possible, ensure that IAM role names are unique across all AWS accounts that interact with your OpenBao environment by auditing and enforcing naming conventions with account-specific identifiers. Additionally, remove wildcards from the bound_iam_principal_arn configuration to reduce the attack surface, although this alone is insufficient to fully mitigate the vulnerability. [2]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart