Listen to this Post
How the CVE Works
OpenBao versions before 2.3.0 and HashiCorp Vault up to 1.19.5 improperly handle malformed data, leading to sensitive information being logged in error files. When processing invalid requests, particularly with the KV v2 plugin, secrets may be written to logs in plaintext. This occurs due to insufficient input validation before logging errors, exposing credentials, tokens, or other confidential data to unauthorized log viewers. Attackers could exploit this by sending crafted malformed requests, forcing the system to log sensitive details.
DailyCVE Form
Platform: OpenBao / HashiCorp Vault
Version: < 2.3.0 / ≤ 1.19.5
Vulnerability: Information Disclosure
Severity: Medium
Date: Jun 26, 2025
Prediction: Patch expected by Jun 30, 2025
What Undercode Say
Analytics:
grep -r "sensitive_key" /var/log/openbao audit-log-parser --filter "KVv2_Error"
How Exploit:
- Send malformed KV v2 requests.
- Monitor server/audit logs for leaked data.
Protection from this CVE
- Upgrade to OpenBao ≥ 2.3.0.
- Restrict log access permissions.
- Rotate exposed secrets.
Impact:
- Unauthorized secret exposure.
- Compromised credentials.
- Audit trail tampering.
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
