OpenBao Secrets Operator Exposed: GO-2024-2947 Vulnerability Leaks HTTP Basic Auth Credentials to Logs

A critical security vulnerability has been confirmed in the OpenBao Secrets Operator, where sensitive HTTP basic authentication credentials can be written in plain text to log files. The flaw, tracked as GO-2024-2947, is classified as 'reachable' by automated scanning tools, meaning the vulnerable code path is actively used and exploitable. This exposes a direct channel for credential leakage within systems using this popular secrets management tool.

The vulnerability originates in the `github.com/hashicorp/go-retryablehttp` library, where URLs containing authentication details are not sanitized before being logged. Specifically, the flaw is located in the OpenBao operator's code at `internal/vault/client.go:515` within the `Write` function. The issue was fixed in version v0.7.7 of the openbao/openbao-secrets-operator, but any deployments running earlier versions on the `main` branch remain at risk.

This type of information leak is particularly dangerous in production environments where logs are often aggregated, monitored, or stored with less stringent access controls than the primary secrets vault itself. It undermines the core security promise of a secrets operator by inadvertently creating a secondary, unprotected repository for credentials. Organizations must immediately verify their deployed version and upgrade to v0.7.7 or later to mitigate the risk of credential exposure through their application logs.