GHSA-WPR2-J6GR-PJW9
Vulnerability from github – Published: 2024-10-03 16:51 – Updated: 2024-10-09 22:51
VLAI
Summary
OpenTofu potential leaking of secret variable values when using static evaluation in v1.8
Details
Impact
Users who have opted into static evaluation of module sources, versions, and backend configurations may be at risk of exposing sensitive variables and locals. This is a workflow that should not be possible and explicitly show errors.
Workarounds
Check that you are not using sensitive variables in module sources and versions, as well as backend configurations. The patch will add explicit errors and prevent this from being possible.
Examples
variable "backend_path" {
type = string
sensitive = true
}
terraform {
backend "local" {
path = var.backend_path
}
}
variable "mod_info" {
type = string
sensitive = true
}
module "foo" {
source = var.mod_info
//version = var.mod_info
}
Severity
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/opentofu/opentofu"
},
"ranges": [
{
"events": [
{
"introduced": "1.8.0"
},
{
"fixed": "1.8.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-200"
],
"github_reviewed": true,
"github_reviewed_at": "2024-10-03T16:51:50Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "### Impact\nUsers who have opted into static evaluation of module sources, versions, and backend configurations may be at risk of exposing sensitive variables and locals. This is a workflow that should not be possible and explicitly show errors.\n\n### Workarounds\nCheck that you are not using sensitive variables in module sources and versions, as well as backend configurations. The patch will add explicit errors and prevent this from being possible.\n\n### Examples\n```hcl\nvariable \"backend_path\" {\n type = string\n sensitive = true\n}\n\nterraform {\n backend \"local\" {\n path = var.backend_path\n }\n}\n```\n\n```hcl\nvariable \"mod_info\" {\n type = string\n sensitive = true\n}\n\nmodule \"foo\" {\n source = var.mod_info\n //version = var.mod_info\n}\n```\n\n",
"id": "GHSA-wpr2-j6gr-pjw9",
"modified": "2024-10-09T22:51:43Z",
"published": "2024-10-03T16:51:50Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/opentofu/opentofu/security/advisories/GHSA-wpr2-j6gr-pjw9"
},
{
"type": "PACKAGE",
"url": "https://github.com/opentofu/opentofu"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2024-3182"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "OpenTofu potential leaking of secret variable values when using static evaluation in v1.8"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…