CVEbaza.plCWE DictionaryCWE-156
Common Weakness Enumeration

CWE-156

Improper Neutralization of Whitespace

Category: VariantCVE: 5
Description

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as whitespace when they are sent to a downstream component.

Extended Description

This can include space, tab, etc.

CVE vulnerabilities with CWE-156 (5)
6.5
CVSS
MEDIUM
CVE-2025-55000

OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 0.1.0 through 2.3.1, OpenBao's TOTP secrets engine could accept valid codes multiple times rather than strictly-once. This was caused by unexpected normalization in the underlying TOTP library. To work around, ensure that all codes are first normalized before submitting to the OpenBao endpoint. TOTP code verification is a privileged action; only trusted systems should be verifying codes.

pub. 2025-08-09
6.5
CVSS
MEDIUM
CVE-2025-55001

OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 2.3.1 and below, OpenBao allowed the assignment of policies and MFA attribution based upon entity aliases, chosen by the underlying auth method. When the username_as_alias=true parameter in the LDAP auth method was in use, the caller-supplied username was used verbatim without normalization, allowing an attacker to bypass alias-specific MFA requirements. This issue was fixed in version 2.3.2. To work around this, remove all usage of the username_as_alias=true parameter and update any entity aliases accordingly.

pub. 2025-08-09
6.5
CVSS
MEDIUM
CVE-2025-6013

Vault and Vault Enterprise’s (“Vault”) ldap auth method may not have correctly enforced MFA if username_as_alias was set to true and a user had multiple CNs that are equal but with leading or trailing spaces. Fixed in Vault Community Edition 1.20.2 and Vault Enterprise 1.20.2, 1.19.8, 1.18.13, and 1.16.24.

pub. 2025-08-06
6.5
CVSS
MEDIUM
CVE-2025-6014

Vault and Vault Enterprise’s (“Vault”) TOTP Secrets Engine code validation endpoint is susceptible to code reuse within its validity period. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.

pub. 2025-08-01
5.4
CVSS
MEDIUM
CVE-2025-55127

HackerOne community member Dao Hoang Anh (yoyomiski) has reported an improper neutralization of whitespace in the username when adding new users. A username with leading or trailing whitespace could be virtually indistinguishable from its legitimate counterpart when the username is displayed in the UI, potentially leading to confusion.

pub. 2025-11-20
Information
ID: CWE-156
Type: Variant
Vulnerabilities: 5
MITRE CWE ↗
← CWE Dictionary
CWE-156 — Improper Neutralization of Whitespace | CWE Dictionary | CVEbaza.pl