Improper Masking of Secrets in Logs Affecting github.com/microsoft/terraform-provider-power-platform/internal/powerplatform/api package, versions <3.0.0


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.08% (35th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Improper Masking of Secrets in Logs vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-GOLANG-GITHUBCOMMICROSOFTTERRAFORMPROVIDERPOWERPLATFORMINTERNALPOWERPLATFORMAPI-8097240
  • published26 Sept 2024
  • disclosed25 Sept 2024
  • creditMatt Dotson

Introduced: 25 Sep 2024

CVE-2024-47083  (opens in a new tab)
CWE-117  (opens in a new tab)

How to fix?

Upgrade github.com/microsoft/terraform-provider-power-platform/internal/powerplatform/api to version 3.0.0 or higher.

Overview

Affected versions of this package are vulnerable to Improper Masking of Secrets in Logs due to an error in the logging code that fails to properly mask the client_secret when logs are persisted or viewed. An attacker can gain access to sensitive information by exploiting this vulnerability to view unmasked secrets in the logs.

Workaround

  1. This vulnerability can be mitigated by immediately rotating the client_secret for any service principal that has been configured using this Terraform provider.

  2. Consider disabling the TF_LOG_PATH environment variable or configuring Terraform to not persist logs to a file or an external system until the provider is updated.

  3. Existing logs that may contain the client_secret should be removed or sanitized to prevent unauthorized access.

References

CVSS Scores

version 4.0
version 3.1