GHSA-wpr2-j6gr-pjw9
Suggest an improvement- Source
- https://github.com/advisories/GHSA-wpr2-j6gr-pjw9
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-wpr2-j6gr-pjw9/GHSA-wpr2-j6gr-pjw9.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-wpr2-j6gr-pjw9
- Aliases
- Published
- 2024-10-03T16:51:50Z
- Modified
- 2024-10-09T22:51:43Z
- Severity
-
- 3.7 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
- 2.9 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P CVSS Calculator
- Summary
- OpenTofu potential leaking of secret variable values when using static evaluation in v1.8
- Details
-
Impact
Users who have opted into static evaluation of module sources, versions, and backend configurations may be at risk of exposing sensitive variables and locals. This is a workflow that should not be possible and explicitly show errors.
Workarounds
Check that you are not using sensitive variables in module sources and versions, as well as backend configurations. The patch will add explicit errors and prevent this from being possible.
Examples
variable "backend_path" { type = string sensitive = true } terraform { backend "local" { path = var.backend_path } }variable "mod_info" { type = string sensitive = true } module "foo" { source = var.mod_info //version = var.mod_info } - Database specific
{ "nvd_published_at": null, "cwe_ids": [ "CWE-200" ], "severity": "LOW", "github_reviewed": true, "github_reviewed_at": "2024-10-03T16:51:50Z" }- References
Affected packages
Go / github.com/opentofu/opentofu
Package
- Name
- github.com/opentofu/opentofu
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/opentofu/opentofu