GoogleOSV:GHSA-65G2-X53Q-CMF6Sensitive Terraform Output Values Printed At Info Logging Level In Kitchen-Terraform
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
EPSS
Percentile
9.0%
Summary
Kitchen-Terraform v7.0.0 introduced a regression which caused all Terraform output values, including sensitive values, to be printed at the info logging level during the kitchen converge action. Prior to v7.0.0, the output values were printed at the debug level to avoid writing sensitive values to the terminal by default.
Original Report
@brettcurtis:
> Hopefully, I’m not doing something stupid here, but I’m seeing sensitive outputs printed in the kitchen output. You can check this action for an example: https://github.com/osinfra-io/terraform-google-project/actions/runs/4700065515/jobs/8334277309#step:5:215
>
> It’s not really a sensitive value just used it as an example.
References
github.com/newcontext-oss/kitchen-terraform
github.com/newcontext-oss/kitchen-terraform/commit/3d20d60e7a891e2dd747df995a31226fa0b4ac48
github.com/newcontext-oss/kitchen-terraform/security/advisories/GHSA-65g2-x53q-cmf6
github.com/rubysec/ruby-advisory-db/blob/master/gems/kitchen-terraform/CVE-2023-30618.yml
nvd.nist.gov/vuln/detail/CVE-2023-30618
Related
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
EPSS
Percentile
9.0%