3.2

CVSS Score

Basic Information

CVE ID

CVE-2023-30618

GHSA ID

GHSA-65g2-x53q-cmf6

EPSS Score

CWE

CWE-532

Published

4/24/2023

Updated

11/6/2023

KEV Status

Technology

Ruby

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-30618

CVE-2023-30618:
Sensitive Terraform Output Values Printed At Info Logging Level In Kitchen-Terraform

Summary

Kitchen-Terraform v7.0.0 introduced a regression which caused all Terraform output values, including sensitive values, to be printed at the info logging level during the kitchen converge action. Prior to v7.0.0, the output values were printed at the debug level to avoid writing sensitive values to the terminal by default.

Original Report

@brettcurtis:

Hopefully, I'm not doing something stupid here, but I'm seeing sensitive outputs printed in the kitchen output. You can check this action for an example: https://github.com/osinfra-io/terraform-google-project/actions/runs/4700065515/jobs/8334277309#step:5:215

It's not really a sensitive value just used it as an example.

(GitHub Advisory)

3.2

CVSS Score

Basic Information

CVE ID

CVE-2023-30618

GHSA ID

GHSA-65g2-x53q-cmf6

EPSS Score

CWE

CWE-532

Published

4/24/2023

Updated

11/6/2023

KEV Status

Technology

Ruby

Technical Details

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
kitchen-terraform	rubygems	>= 7.0.0, < 7.0.1	7.0.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from two key changes: 1) In terraform.rb, debug_connection was initialized with DebugLogger.new(logger: logger) which incorrectly passed a keyword argument, leading to improper logger configuration. 2) DebugLogger's constructor lacked type validation, allowing non-debug loggers. The fix corrected both by using positional arguments (DebugLogger.new(logger)) and adding type checks. These functions directly controlled the logging level configuration of sensitive outputs during 'kitchen converge'.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Summ*ry Kit***n-T*rr**orm v*.*.* intro*u*** * r**r*ssion w*i** **us** *ll T*rr**orm output v*lu*s, in*lu*in* s*nsitiv* v*lu*s, to ** print** *t t** `in*o` lo**in* l*v*l *urin* t** `kit***n *onv*r**` **tion. Prior to v*.*.*, t** output v*lu*s w*r

Reasoning

T** vuln*r**ility st*mm** *rom two k*y ***n**s: *) In t*rr**orm.r*, ***u*_*onn**tion w*s initi*liz** wit* ***u*Lo***r.n*w(lo***r: lo***r) w*i** in*orr**tly p*ss** * k*ywor* *r*um*nt, l***in* to improp*r lo***r *on*i*ur*tion. *) ***u*Lo***r's *onstru*

3.2

Basic Information

Concerned about an active attack path?

CVE-2023-30618: Sensitive Terraform Output Values Printed At Info Logging Level In Kitchen-Terraform

Summary

Original Report

3.2

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2023-30618:
Sensitive Terraform Output Values Printed At Info Logging Level In Kitchen-Terraform

Vulnerability Intelligence
Miggo AI