Lucene search

RubySecRUBY:KITCHEN-TERRAFORM-2023-30618

HistoryApr 23, 2023 - 9:00 p.m.

Sensitive Terraform Output Values Printed At Info Logging Level In Kitchen-Terraform

2023-04-2321:00:00

RubySec

github.com

terraform

kitchen-terraform

sensitive values

logging level

regression

terminal security

CVSS3

3.3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

JSON

Summary
Kitchen-Terraform v7.0.0 introduced a regression which caused all
Terraform output values, including sensitive values, to be printed
at the info logging level during the kitchen converge action.
Prior to v7.0.0, the output values were printed at the debug level
to avoid writing sensitive values to the terminal by default.

Original Report

@brettcurtis:
Hopefully, I’m not doing something stupid here, but I’m seeing
sensitive outputs printed in the kitchen output. You can check
this action for an example: https://github.com/osinfra-io/terraform-google-project/actions/runs/4700065515/jobs/8334277309#step:5:215

It's not really a sensitive value just used it as an example.

Affected configurations

Vulners

Node

rubykitchen-terraformRange≤7.0.1

VendorProductVersionCPE
rubykitchen-terraform*cpe:2.3:a:ruby:kitchen-terraform:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ruby	kitchen-terraform	*	cpe:2.3:a:ruby:kitchen-terraform::::::::

References

github.com/newcontext-oss/kitchen-terraform/security/advisories/GHSA-65g2-x53q-cmf6

CVSS3

3.3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

JSON

Related for RUBY:KITCHEN-TERRAFORM-2023-30618