OpenBao Secrets Operator Exposed: GO-2024-2947 Vulnerability Leaks Sensitive Auth Credentials to Logs

A critical security vulnerability has been confirmed in the OpenBao Secrets Operator, where sensitive HTTP basic authentication credentials can be leaked directly into log files. The flaw, tracked as GO-2024-2947, is classified as 'reachable' by automated scanning tools, meaning the vulnerable code path is actively used and exploitable. This exposure stems from a failure to sanitize URLs before they are written to logs, potentially revealing secrets that should remain confidential.

The vulnerability resides within the `openbao/openbao-secrets-operator` repository on its main branch. Specifically, the flaw is in the `github.com/hashicorp/go-retryablehttp` dependency at version v0.7.1, which is also used by `github.com/hashicorp/vault/[email protected]`. The affected code is pinpointed to line 515 in the file `internal/vault/client.go`, within the `Write` function. The issue has been fixed in version v0.7.7 of the `go-retryablehttp` module, but the operator currently depends on the vulnerable version.

This finding places immediate pressure on any organization or project deploying the OpenBao Secrets Operator, as it directly handles sensitive secrets management. The risk is not theoretical; the govulncheck tool has confirmed a reachable call path to the vulnerable code. The presence of unredacted credentials in logs could be exploited by anyone with access to those logs, leading to unauthorized access to protected systems or data. This incident underscores the persistent risk of credential leakage through ancillary systems like logging, even within security-focused infrastructure tooling.