9.6 CRITICAL
- CVSS version: 3.1
- Attack vector (AV): NETWORK
- Attack complexity (AC): LOW
- Privileges required (PR): NONE
- User interaction (UI): REQUIRED
- Scope (S): CHANGED
- Confidentiality impact (C): HIGH
- Integrity impact (I): HIGH
- Availability impact (A): LOW
by @mweinelt Activity log
- Created automatic suggestion
-
@LeSuisse
removed
2 maintainers
- @emilylange
- @brianmay
-
@mweinelt
added
2 maintainers
- @emilylange
- @brianmay
- @mweinelt accepted
- @mweinelt published on GitHub
OpenBao lacks user confirmation for OIDC direct callback mode
OpenBao is an open source identity-based secrets management system. Prior to version 2.5.2, OpenBao does not prompt for user confirmation when logging in via JWT/OIDC and a role with `callback_mode` set to `direct`. This allows an attacker to start an authentication request and perform "remote phishing" by having the victim visit the URL and automatically log-in to the session of the attacker. Despite being based on the authorization code flow, the `direct` mode calls back directly to the API and allows an attacker to poll for an OpenBao token until it is issued. Version 2.5.2 includes an additional confirmation screen for `direct` type logins that requires manual user interaction in order to finish the authentication. This issue can be worked around either by removing any roles with `callback_mode=direct` or enforcing confirmation for every session on the token issuer side for the Client ID used by OpenBao.
References
- https://github.com/openbao/openbao/security/advisories/GHSA-7q7g-x6vg-xpc3 x_refsource_CONFIRM
- https://github.com/openbao/openbao/commit/e32103951925723e9787e33886ab6b6ec20f4964 x_refsource_MISC
- https://datatracker.ietf.org/doc/html/rfc8628#section-5.4 x_refsource_MISC
Affected products
- ==< 2.5.2
Package maintainers
-
@emilylange Emily Lange <nix@emilylange.de>
-
@brianmay Brian May <brian@linuxpenguins.xyz>