OpenBao Secrets Operator Exposed: GO-2024-2947 Vulnerability Leaks HTTP Basic Auth Credentials to Logs

A critical security vulnerability has been confirmed in the OpenBao Secrets Operator, where sensitive HTTP basic authentication credentials can be written in plain text to log files. The flaw, tracked as GO-2024-2947, is classified as 'reachable' by automated analysis tools, meaning the vulnerable code path is active and exploitable in the main branch of the project. This exposure stems from a failure to sanitize URLs before logging, turning routine operational logs into a potential trove of leaked secrets.

The vulnerability resides specifically within the `github.com/hashicorp/go-retryablehttp` dependency used by the `openbao/openbao-secrets-operator` repository. The affected code is pinpointed to line 515 in the file `internal/vault/client.go`, within the `Write` function. This flaw allows any URL containing basic auth credentials (in the format `http://username:password@host...`) to be recorded verbatim in application logs. The issue has been patched in version v0.7.7 of the operator.

The presence of this vulnerability in a core secrets management tool creates a significant secondary exposure risk. Log files, often treated with lower security postures than primary secret stores, could be accessed by unauthorized users or aggregated into monitoring systems, inadvertently broadcasting credentials. This places any deployment using a vulnerable version at immediate risk of credential compromise, potentially granting attackers access to the very secrets the operator is designed to protect. Operators must upgrade to v0.7.7 without delay to mitigate this direct information leak.