Skip to content

Security: Debug logging exposes credentials (CWE-532) #137

Description

@fg0x0

Security Vulnerability Report

Type: CWE-532 - Insertion of Sensitive Information into Log File

I identified a credential logging vulnerability in the Terraform provider. Due to the sensitive nature of this issue, I am reporting it here since Private Vulnerability Reporting (PVR) is not enabled on this repository.

I recommend enabling GitHub Private Vulnerability Reporting so security researchers can report issues confidentially: https://docs.github.com/en/code-security/security-advisories/working-with-repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository

I am happy to provide full details privately. Please enable PVR or share a security contact email, and I will submit the complete report with PoC.

Summary: The RoundTrip method in client/monte_carlo_client.go dumps all HTTP request and response bodies via tflog.Debug, which includes GCP service account keys, database passwords, and API tokens when TF_LOG=DEBUG is set.

Affected version: <= 0.5.2

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions