Security Vulnerability Report
Type: CWE-532 - Insertion of Sensitive Information into Log File
I identified a credential logging vulnerability in the Terraform provider. Due to the sensitive nature of this issue, I am reporting it here since Private Vulnerability Reporting (PVR) is not enabled on this repository.
I recommend enabling GitHub Private Vulnerability Reporting so security researchers can report issues confidentially: https://docs.github.com/en/code-security/security-advisories/working-with-repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository
I am happy to provide full details privately. Please enable PVR or share a security contact email, and I will submit the complete report with PoC.
Summary: The RoundTrip method in client/monte_carlo_client.go dumps all HTTP request and response bodies via tflog.Debug, which includes GCP service account keys, database passwords, and API tokens when TF_LOG=DEBUG is set.
Affected version: <= 0.5.2
Security Vulnerability Report
Type: CWE-532 - Insertion of Sensitive Information into Log File
I identified a credential logging vulnerability in the Terraform provider. Due to the sensitive nature of this issue, I am reporting it here since Private Vulnerability Reporting (PVR) is not enabled on this repository.
I recommend enabling GitHub Private Vulnerability Reporting so security researchers can report issues confidentially: https://docs.github.com/en/code-security/security-advisories/working-with-repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository
I am happy to provide full details privately. Please enable PVR or share a security contact email, and I will submit the complete report with PoC.
Summary: The
RoundTripmethod inclient/monte_carlo_client.godumps all HTTP request and response bodies viatflog.Debug, which includes GCP service account keys, database passwords, and API tokens whenTF_LOG=DEBUGis set.Affected version: <= 0.5.2