CVE-2023-30618 – kitchen-terraform

Package

Manager: gem
Name: kitchen-terraform
Vulnerable Version: >=7.0.0 <7.0.1

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N

EPSS: 0.0003 pctl0.06817

Details

Sensitive Terraform Output Values Printed At Info Logging Level In Kitchen-Terraform ### Summary Kitchen-Terraform v7.0.0 introduced a regression which caused all Terraform output values, including sensitive values, to be printed at the `info` logging level during the `kitchen converge` action. Prior to v7.0.0, the output values were printed at the `debug` level to avoid writing sensitive values to the terminal by default. ### Original Report @brettcurtis: > Hopefully, I'm not doing something stupid here, but I'm seeing sensitive outputs printed in the kitchen output. You can check this action for an example: https://github.com/osinfra-io/terraform-google-project/actions/runs/4700065515/jobs/8334277309#step:5:215 > > It's not really a sensitive value just used it as an example.

Metadata

Created: 2023-04-24T22:44:38Z
Modified: 2023-04-24T22:44:38Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-65g2-x53q-cmf6/GHSA-65g2-x53q-cmf6.json
CWE IDs: ["CWE-532"]
Alternative ID: GHSA-65g2-x53q-cmf6
Finding: F009
Auto approve: 1