Improper Masking of Secrets in Logs Affecting github.com/microsoft/terraform-provider-power-platform/internal/powerplatform package, versions <3.0.0


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    EPSS
    0.08% (34th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-GOLANG-GITHUBCOMMICROSOFTTERRAFORMPROVIDERPOWERPLATFORMINTERNALPOWERPLATFORM-8097239
  • published 26 Sep 2024
  • disclosed 25 Sep 2024
  • credit Matt Dotson

How to fix?

Upgrade github.com/microsoft/terraform-provider-power-platform/internal/powerplatform to version 3.0.0 or higher.

Overview

Affected versions of this package are vulnerable to Improper Masking of Secrets in Logs due to an error in the logging code that fails to properly mask the client_secret when logs are persisted or viewed. An attacker can gain access to sensitive information by exploiting this vulnerability to view unmasked secrets in the logs.

Workaround

  1. This vulnerability can be mitigated by immediately rotating the client_secret for any service principal that has been configured using this Terraform provider.

  2. Consider disabling the TF_LOG_PATH environment variable or configuring Terraform to not persist logs to a file or an external system until the provider is updated.

  3. Existing logs that may contain the client_secret should be removed or sanitized to prevent unauthorized access.

References

CVSS Scores

version 4.0
version 3.1
Expand this section

Snyk

Recommended
6.8 medium
  • Attack Vector (AV)
    Local
  • Attack Complexity (AC)
    Low
  • Attack Requirements (AT)
    None
  • Privileges Required (PR)
    Low
  • User Interaction (UI)
    None
  • Confidentiality (VC)
    High
  • Integrity (VI)
    None
  • Availability (VA)
    None
  • Confidentiality (SC)
    None
  • Integrity (SI)
    None
  • Availability (SA)
    None