Veracode Vulnerability DatabaseVERACODE:41348Information Disclosure
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
EPSS
Percentile
50.3%
github.com/weaveworks/tf-controller is vulnerable to Information Disclosure. A flaw in Weave GitOps Terraform Runners (tf-runner) allows an authenticated remote attacker to acquire user information in pod logs due to accidentally displaying sensitive data by the victim. The functions tfexec.ShowPlan ,tfexec.ShowPlanRaw, and tfexec.Output, which are set to os.Stdout and os.Stderr, are affected by this issue. The data could include settings or tokens that may be used to obtain unauthorized access to take control of Terraform controller resources.
References
github.com/advisories/GHSA-6hvv-j432-23cv
github.com/weaveworks/tf-controller/commit/28282bc644054e157c3b9a3d38f1f9551ce09074
github.com/weaveworks/tf-controller/commit/6323b355bd7f5d2ce85d0244fe0883af3881df4e
github.com/weaveworks/tf-controller/commit/9708fda28ccd0466cb0a8fd409854ab4d92f7dca
github.com/weaveworks/tf-controller/commit/98a0688036e9dbcf43fa84960d9a1ef3e09a69cf
github.com/weaveworks/tf-controller/issues/637
github.com/weaveworks/tf-controller/issues/649
github.com/weaveworks/tf-controller/security/advisories/GHSA-6hvv-j432-23cv
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
EPSS
Percentile
50.3%