Sensitive Data Logging Exposure in HashiCorp Terraform Enterprise
CVE-2022-25374

7.5HIGH

Key Information:

Vendor: Hashicorp
Status: Terraform Enterprise
Vendor: CVE Published:; 25 February 2022

Summary

HashiCorp Terraform Enterprise versions 202112-1, 202112-2, 202201-1, and 202201-2 were found to log inbound HTTP requests in a way that might expose sensitive information, potentially leading to unauthorized access to data. This issue has been addressed in version 202202-1, which mitigates the risk by altering the logging configuration to prevent sensitive information from being captured.

References

https://discuss.hashicorp.com

x_refsource_MISC

https://discuss.hashicorp.com/t/hcsec-2022-06-terraform-e...

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 25, 2022
Vulnerability Reserved
Feb 20, 2022