OpenBao Namespace Deletion Improper Data Clearance Vulnerability

A vulnerability exists in OpenBao, an open-source identity-based secrets management system, in versions through 2.5.2. When the initial deletion of a namespace fails, subsequent attempts do not fully clear all associated data before marking the namespace as deleted. This issue can leave behind unrelated storage entries and affect any active leases.

Impact

This vulnerability can lead to leftover data in storage that is not properly cleared, potentially causing conflicts or confusion in data management. Additionally, it can disrupt the handling of leases associated with the affected namespace.

Reproduction

To reproduce this vulnerability, attempt to delete a namespace in OpenBao. If the deletion fails, try to delete the namespace again. The second deletion attempt will not properly clear all data, leaving behind residual storage entries and potentially affecting any active leases.

Remediation

Users can manually remove mounts before deleting a namespace to prevent this issue. After updating to OpenBao version 2.5.3, which addresses this vulnerability, users should ensure that any namespaces previously deleted can be cleared without leaving residual data.