Go-Viper Mapstructure Information Disclosure Vulnerability in Field Processing Component

A vulnerability in the Go-Viper Mapstructure library, specifically in version 2.3.0 and prior, has been identified. The issue arises in the field processing component that utilizes 'mapstructure.WeakDecode', which can lead to unauthorized information disclosure. This vulnerability allows sensitive input values to be leaked through detailed error messages, when malformed user-supplied data is processed in contexts where security is critical.

Impact

Exploitation of this vulnerability can result in the unintentional leakage of sensitive information through error messages, which may be logged or otherwise exposed in the application.

Reproduction

To reproduce this vulnerability, use the OpenBao application with a Vault server. After enabling userpass authentication, send a PUT request to create a user with an invalid 'ttl' value. The server will respond with an error that includes sensitive information about the malformed input, demonstrating the information disclosure flaw.

Remediation

Users are advised to upgrade to Mapstructure version 2.4.0 or later, where this vulnerability has been fixed.