Horizon Alert
Summary of the vulnerability and why it matters
This advisory concerns a vulnerability in OpenBao, an open-source secrets management system, specifically affecting installations with OIDC/JWT authentication and a particular role configuration. The issue could allow an attacker to gain access to a victim's authentication token through a web interface. The vendor has released a version addressing this vulnerability and also provided a configuration-based mitigation.
- Flaw in secrets manager allows token theft.
- Protects user credentials and system access.
- Confirm relevance and verify system exposure.
Attack Path
How an attacker could exploit the issue
An attacker could exploit this vulnerability by sending a crafted link to a victim. When the victim clicks the link, their browser will interact with an OpenBao instance that has a specific OIDC/JWT authentication method enabled. This interaction will trigger a cross-site scripting vulnerability in the error handling of a failed authentication attempt, allowing the attacker to potentially access the victim's authentication token for the Web UI.
- Unauthenticated network access required.
- User interaction with a malicious link.
- Access to victim's Web UI token.
Live Threat
Current exploitation, exposure, and threat context
When an OpenBao installation has an OIDC/JWT authentication method enabled and a role configured with `callback_mode=direct`, a cross-site scripting vulnerability in the `error_description` parameter during failed authentication could allow an attacker to access a victim user's authentication token used by the Web UI.
- User authentication tokens.
- Via a crafted error message parameter.
- Token theft for unauthorized access.
Operational Fix
Recommended remediation, mitigation, and detection steps
The OpenBao administrator or platform team is responsible for addressing this vulnerability. The initial step involves identifying all OpenBao installations, confirming if the OIDC/JWT authentication method with `callback_mode=direct` is configured, and assessing the exposure of the affected page. Once identified, the accountable owner should be determined to plan remediation, which may involve vendor coordination or applying temporary risk reduction measures.
- Application or platform team owns remediation.
- Verify OIDC/JWT and `callback_mode=direct` roles.
- Plan remediation based on exposure and risk.