vulndb: correct misinformation in GO-2025-3783

This vulnerability was incorrectly edited by GitHub staff without
consulting the project. As noted in the original report, this affects
the rotation endpoints on the server: it does not impact the client API
package in any way.

This vulnerability was original to HashiCorp Vault thus the initial
affected version is 0 (present in all earlier OpenBao versions).

The server is not directly importable and should not be consumed by
third-parties except through a release.

See also: GHSA-prpj-rchp-9j5h
See also: github/advisory-database#5990
Resolves: #3877

Signed-off-by: Alexander Scheel <[email protected]>

Author: cipherboy

data/osv/GO-2025-3783.json

@@ -7,12 +7,12 @@
     "CVE-2025-52894",
     "GHSA-prpj-rchp-9j5h"
   ],
-  "summary": "OpenBao allows cancellation of root rekey and recovery rekey operations without authentication in github.com/openbao/openbao/api",
-  "details": "OpenBao allows cancellation of root rekey and recovery rekey operations without authentication in github.com/openbao/openbao/api.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: .",
+  "summary": "OpenBao allows cancellation of root rekey and recovery rekey operations without authentication in github.com/openbao/openbao",
+  "details": "OpenBao allows cancellation of root rekey and recovery rekey operations without authentication in github.com/openbao/openbao.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: .",
   "affected": [
     {
       "package": {
-        "name": "github.com/openbao/openbao/api",
+        "name": "github.com/openbao/openbao",
         "ecosystem": "Go"
       },
       "ranges": [
@@ -29,7 +29,7 @@
     },
     {
       "package": {
-        "name": "github.com/openbao/openbao/api/v2",
+        "name": "github.com/openbao/openbao",
         "ecosystem": "Go"
       },
       "ranges": [
@@ -51,7 +51,7 @@
             "type": "ECOSYSTEM",
             "events": [
               {
-                "introduced": "2.2.2"
+                "introduced": "0"
               }
             ]
           }
@@ -89,4 +89,4 @@
     "url": "https://pkg.go.dev/vuln/GO-2025-3783",
     "review_status": "UNREVIEWED"
   }
-}
+}

data/reports/GO-2025-3783.yaml

@@ -1,16 +1,16 @@
 id: GO-2025-3783
 modules:
-    - module: github.com/openbao/openbao/api
-      vulnerable_at: 1.12.2
-    - module: github.com/openbao/openbao/api/v2
+    - module: github.com/openbao/openbao
+      vulnerable_at: 0
+    - module: github.com/openbao/openbao
       versions:
         - fixed: 2.3.1
       non_go_versions:
-        - introduced: 2.2.2
+        - introduced: 0
       vulnerable_at: 2.3.0
 summary: |-
     OpenBao allows cancellation of root rekey and recovery rekey operations without
-    authentication in github.com/openbao/openbao/api
+    authentication in github.com/openbao/openbao.
 cves:
     - CVE-2025-52894
 ghsas: