OpenBao Audit Log Redaction Vulnerability Allowing HTTP Body Leakage

A vulnerability in OpenBao, an identity-based secrets management system, has been identified in versions 2.2.0 prior to 2.4.1. This vulnerability allows raw HTTP bodies from certain endpoints to be improperly logged, failing to apply necessary redactions. As a result, sensitive information such as short-lived ACME verification challenge codes and OIDC auth and token response codes, along with claims, could be exposed in the audit logs. Third-party plugins may also be affected.

Impact

The vulnerability could lead to the unintentional exposure of sensitive HTTP response bodies in the audit logs, including ACME verification codes and OIDC-related auth and token response information.

Reproduction

The vulnerability can be reproduced by using OpenBao versions 2.2.0 to 2.4.1 and accessing endpoints that involve raw HTTP bodies, particularly those related to ACME functionality in PKI or OIDC issuer functionality.

Remediation

Users can upgrade to OpenBao version 2.4.2, which addresses this vulnerability by properly redacting HTTP raw body response parameters in the audit logs.