OpenBao PostgreSQL Database Secrets Engine SQL Injection Vulnerability

A SQL injection vulnerability has been identified in OpenBao versions through 2.5.2, specifically within the PostgreSQL database secrets engine. The issue arises when OpenBao revokes privileges on a role, as it fails to properly quote schema names. This flaw can lead to unsuccessful role revocations or, in rare cases, allow SQL injection as the management user.

Impact

Exploitation of this vulnerability could result in SQL injection, allowing an attacker to execute arbitrary SQL commands in the context of the database management user.

Remediation

Users can upgrade to OpenBao version 2.5.3, where this vulnerability has been patched. As an additional step, it is recommended to audit table schemas and ensure that database users do not have the ability to create new schemas and grant privileges on them.