Improper Masking of Secrets in Logs Affecting github.com/microsoft/terraform-provider-power-platform/internal/powerplatform/config package, versions <3.0.0
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-GOLANG-GITHUBCOMMICROSOFTTERRAFORMPROVIDERPOWERPLATFORMINTERNALPOWERPLATFORMCONFIG-8097241
- published 26 Sep 2024
- disclosed 25 Sep 2024
- credit Matt Dotson
Introduced: 25 Sep 2024
CVE-2024-47083 Open this link in a new tabHow to fix?
Upgrade github.com/microsoft/terraform-provider-power-platform/internal/powerplatform/config to version 3.0.0 or higher.
Overview
Affected versions of this package are vulnerable to Improper Masking of Secrets in Logs due to an error in the logging code that fails to properly mask the client_secret when logs are persisted or viewed. An attacker can gain access to sensitive information by exploiting this vulnerability to view unmasked secrets in the logs.
Workaround
This vulnerability can be mitigated by immediately rotating the
client_secretfor any service principal that has been configured using this Terraform provider.Consider disabling the
TF_LOG_PATHenvironment variable or configuring Terraform to not persist logs to a file or an external system until the provider is updated.Existing logs that may contain the
client_secretshould be removed or sanitized to prevent unauthorized access.