OpenBao OIDC Authentication Error Parameter XSS Vulnerability

A reflected cross-site scripting (XSS) vulnerability has been identified in OpenBao, an open-source identity-based secrets management system. This issue affects installations using the OIDC/JWT authentication method, specifically those with a role configured for direct callbacks. The vulnerability arises from the 'error_description' parameter, which can be manipulated to execute scripts on the page where authentication failures are displayed. As a result, an attacker could gain access to the authentication token of a user in the Web UI. This vulnerability exists in OpenBao versions through 2.5.1 and has been addressed in version 2.5.2.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, enable the OIDC/JWT authentication method in OpenBao and create a role with 'callback_mode' set to 'direct'. When an authentication failure occurs, the 'error_description' parameter can be used to inject scripts, which will be executed in the user's browser.

Remediation

Users can upgrade to OpenBao version 2.5.2, where this vulnerability has been fixed. Alternatively, roles with 'callback_mode' set to 'direct' can be removed to mitigate the issue.