logo

Database

Sensitive information sent insecurely In github.com/opentofu/opentofu

Description

OpenTofu potential leaking of secret variable values when using static evaluation in v1.8

Impact

Users who have opted into static evaluation of module sources, versions, and backend configurations may be at risk of exposing sensitive variables and locals. This is a workflow that should not be possible and explicitly show errors.

Workarounds

Check that you are not using sensitive variables in module sources and versions, as well as backend configurations. The patch will add explicit errors and prevent this from being possible.

Examples

variable "backend_path" {
        type = string
        sensitive = true
}

terraform {
        backend "local" {
                path = var.backend_path...
variable "mod_info" {
        type = string
        sensitive = true
}

module "foo" {
        source = var.mod_info
        //version = var.mod_info...

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. GHSA-wpr2-j6gr-pjw92. GCVE-GHSA-wpr2-j6gr-pjw9

References

1. https://github.com/opentofu/opentofu/security/advisories/GHSA-wpr2-j6gr-pjw92. https://pkg.go.dev/vuln/GO-2024-3182

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.