CVE-2023-30618 (kitchen-terraform): Sensitive Terraform Output Values Printed At Info Logging Level In Kitchen-Terraform

ADVISORIES

CVE-2023-30618 (NVD)
GHSA-65g2-x53q-cmf6
Vendor Advisory

GEM

kitchen-terraform

SEVERITY

CVSS v3.x: 3.2 (Low)

UNAFFECTED VERSIONS

< 7.0.0

PATCHED VERSIONS

>= 7.0.1

DESCRIPTION

Summary Kitchen-Terraform v7.0.0 introduced a regression which caused all Terraform output values, including sensitive values, to be printed at the info logging level during the kitchen converge action. Prior to v7.0.0, the output values were printed at the debug level to avoid writing sensitive values to the terminal by default.

Original Report

@brettcurtis: Hopefully, I’m not doing something stupid here, but I’m seeing sensitive outputs printed in the kitchen output. You can check this action for an example: https://github.com/osinfra-io/terraform-google-project/actions/runs/4700065515/jobs/8334277309#step:5:215

It's not really a sensitive value just used it as an example.

https://github.com/newcontext-oss/kitchen-terraform/security/advisories/GHSA-65g2-x53q-cmf6
https://nvd.nist.gov/vuln/detail/CVE-2023-30618
https://github.com/newcontext-oss/kitchen-terraform/commit/3d20d60e7a891e2dd747df995a31226fa0b4ac48
https://github.com/advisories/GHSA-65g2-x53q-cmf6

RubySec