Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS13cHIyLWo2Z3ItcGp3Oc4AA_7y

OpenTofu potential leaking of secret variable values when using static evaluation in v1.8

Impact

Users who have opted into static evaluation of module sources, versions, and backend configurations may be at risk of exposing sensitive variables and locals. This is a workflow that should not be possible and explicitly show errors.

Workarounds

Check that you are not using sensitive variables in module sources and versions, as well as backend configurations. The patch will add explicit errors and prevent this from being possible.

Examples

variable "backend_path" {
        type = string
        sensitive = true
}

terraform {
        backend "local" {
                path = var.backend_path
        }
}

variable "mod_info" {
        type = string
        sensitive = true
}

module "foo" {
        source = var.mod_info
        //version = var.mod_info
}

Permalink: https://github.com/advisories/GHSA-wpr2-j6gr-pjw9
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS13cHIyLWo2Z3ItcGp3Oc4AA_7y
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: about 2 months ago
Updated: about 1 month ago

CVSS Score: 3.7
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Identifiers: GHSA-wpr2-j6gr-pjw9
References:

• https://github.com/opentofu/opentofu/security/advisories/GHSA-wpr2-j6gr-pjw9
• https://pkg.go.dev/vuln/GO-2024-3182
• https://github.com/advisories/GHSA-wpr2-j6gr-pjw9

Repository: https://github.com/opentofu/opentofu
Blast Radius: 1.0

Affected Packages