CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
EPSS
Percentile
9.0%
Kitchen-Terraform v7.0.0 introduced a regression which caused all Terraform output values, including sensitive values, to be printed at the info
logging level during the kitchen converge
action. Prior to v7.0.0, the output values were printed at the debug
level to avoid writing sensitive values to the terminal by default.
@brettcurtis:
> Hopefully, I’m not doing something stupid here, but I’m seeing sensitive outputs printed in the kitchen output. You can check this action for an example: https://github.com/osinfra-io/terraform-google-project/actions/runs/4700065515/jobs/8334277309#step:5:215
>
> It’s not really a sensitive value just used it as an example.
github.com/newcontext-oss/kitchen-terraform
github.com/newcontext-oss/kitchen-terraform/commit/3d20d60e7a891e2dd747df995a31226fa0b4ac48
github.com/newcontext-oss/kitchen-terraform/security/advisories/GHSA-65g2-x53q-cmf6
github.com/rubysec/ruby-advisory-db/blob/master/gems/kitchen-terraform/CVE-2023-30618.yml
nvd.nist.gov/vuln/detail/CVE-2023-30618