OpenBao's Kerberos Auth Method Accumulates Unaccessible Tokens
Description
Impact
In OpenBao's Kerberos auth method on the GET handler, or when an Authorization: Negotiate header is supplied, the response is includes a logical.Auth object in addition to an error message. This results in tokens being created with only the default policy, default TTL, and no entity information, which are hidden by the returned error message. No access to these tokens by the caller occurs and the authentication token is not ever made accessible outside of sys/raw. At most this could cause storage usage.
Patches
This is fixed in OpenBao v2.5.4.
Workarounds
Users may set a rate limit quota to limit the creation of these paths. As the path is unauthenticated, it isn't possible to deny access to it.
Reporter
This was discovered by an anonymous reporter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/openbao/openbaoGo | < 2.5.4 | 2.5.4 |
Affected products
2Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-7j6w-vvw2-5f9cghsaADVISORY
- github.com/openbao/openbao/commit/0d82e0a5a3b6a93e8087bcbaf0b11326c12d4f4dghsaWEB
- github.com/openbao/openbao/pull/3150ghsaWEB
- github.com/openbao/openbao/releases/tag/v2.5.4ghsaWEB
- github.com/openbao/openbao/security/advisories/GHSA-7j6w-vvw2-5f9cghsaWEB
News mentions
0No linked articles in our index yet.