OpenBao Secrets Operator Exposed: GO-2024-2947 Vulnerability Leaks Sensitive Auth Credentials to Logs

A confirmed, reachable vulnerability in the OpenBao Secrets Operator's main branch is actively leaking sensitive HTTP basic authentication credentials to log files. The security flaw, tracked as GO-2024-2947, stems from a failure to sanitize URLs before they are written to logs within a critical dependency. This creates a direct path for secrets managed by the operator—potentially including API keys, database passwords, and tokens—to be inadvertently exposed in plaintext on disk.

The vulnerability resides in the `github.com/hashicorp/go-retryablehttp` dependency, version 0.7.1, which is used by the OpenBao operator's Vault client. The govulncheck scanner has identified a specific, reachable call path in the operator's codebase at `internal/vault/client.go:515` within the `Write` function. This means the vulnerable code is not just present but is actively used in the application's execution flow. The flaw is fixed in `go-retryablehttp` version 0.7.7, but the OpenBao operator remains pinned to the vulnerable version.

This exposure poses a significant risk to any deployment using the OpenBao Secrets Operator to manage sensitive data. Log files, often considered lower-security artifacts, become a trove of credentials. The risk is amplified in environments where logs are aggregated, forwarded to monitoring systems, or have less restrictive access controls than the secrets store itself. Organizations relying on this operator must prioritize updating the underlying dependency to mitigate the credential leakage risk before logs are exploited.