GHSA-wpr2-j6gr-pjw9: OpenTofu potential leaking of secret variable values when using static evaluation in v1.8

October 3, 2024 (updated October 9, 2024)

Users who have opted into static evaluation of module sources, versions, and backend configurations may be at risk of exposing sensitive variables and locals. This is a workflow that should not be possible and explicitly show errors.

References

github.com/advisories/GHSA-wpr2-j6gr-pjw9
github.com/opentofu/opentofu
github.com/opentofu/opentofu/security/advisories/GHSA-wpr2-j6gr-pjw9
pkg.go.dev/vuln/GO-2024-3182

Code Behaviors & Features

Detect and mitigate GHSA-wpr2-j6gr-pjw9 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →