Advisories for Golang/Github.com/Weaveworks/Tf-Controller package

2023

Exposure of Sensitive Information to an Unauthorized Actor

Weave GitOps Terraform Controller (aka Weave TF-controller) is a controller for Flux to reconcile Terraform resources in a GitOps way. A vulnerability has been identified in Weave GitOps Terraform Controller which could allow an authenticated remote attacker to view sensitive information. This vulnerability stems from Weave GitOps Terraform Runners (tf-runner), where sensitive data is inadvertently printed - potentially revealing sensitive user data in their pod logs. In particular, functions tfexec.ShowPlan, …