But, the short answer why I say _reasonably_ sure is because HashiCorp and the OP haven't released a lot of details about exactly what case(s) are affected, so there's only so much we can do except look at our own code and infer what we can and make an educated guess.
So, barring some structural problem I'm not immediately aware of, I have reasonably high confidence based on discussions amongst the community members.
Why do you care? This is not a very meaningful vulnerability --- it's a side channel user enumeration. Even direct user enumeration is a sev:info finding.
To quote a movie, only a Sith deals in absolutes ;-)
The OpenBao community call is in 10 minutes if you want to talk more about it live: https://calendar.google.com/calendar/embed?src=s63voefhp5i9p... (OpenSSF community calendar link).
But, the short answer why I say _reasonably_ sure is because HashiCorp and the OP haven't released a lot of details about exactly what case(s) are affected, so there's only so much we can do except look at our own code and infer what we can and make an educated guess.
So, barring some structural problem I'm not immediately aware of, I have reasonably high confidence based on discussions amongst the community members.
Why do you care? This is not a very meaningful vulnerability --- it's a side channel user enumeration. Even direct user enumeration is a sev:info finding.