MEDIUM

GHSA-q8cj-789h-vg24

OpenBao's Inline Auth Incorrectly Redacted Headers

Details

### Impact

OpenBao's inline auth functionality incorrectly redacted audit log entries, resulting in non-auth headers being removed and auth-related headers being retained in cleartext. This requires an attacker to compromise access to the audit device. Operators should review leaked source authentication material and rotate it as appropriate.

### Patches

This is fixed in OpenBao v2.5.4.

### Resources

https://github.com/openbao/openbao/issues/3074

Are you affected?

Enter the version of the package you're using.

Affected packages

Go / github.com/openbao/openbao

Introduced in: 0 Fixed in: 2.5.4

Fix go get github.com/openbao/openbao@v2.5.4

References

https://github.com/openbao/openbao/security/advisories/GHSA-q8cj-789h-vg24 [WEB]
https://github.com/openbao/openbao/issues/3074 [WEB]
https://github.com/openbao/openbao/pull/3076 [WEB]
https://github.com/openbao/openbao/commit/131c6966af4dfb4e1906703436eecdb8f2a3e9df [WEB]
https://github.com/openbao/openbao [PACKAGE]
https://github.com/openbao/openbao/releases/tag/v2.5.4 [WEB]