First published: Thu Oct 03 2024(Updated: )
### Impact Users who have opted into static evaluation of module sources, versions, and backend configurations may be at risk of exposing sensitive variables and locals. This is a workflow that should not be possible and explicitly show errors. ### Workarounds Check that you are not using sensitive variables in module sources and versions, as well as backend configurations. The patch will add explicit errors and prevent this from being possible. ### Examples ```hcl variable "backend_path" { type = string sensitive = true } terraform { backend "local" { path = var.backend_path } } ``` ```hcl variable "mod_info" { type = string sensitive = true } module "foo" { source = var.mod_info //version = var.mod_info } ```
Affected Software | Affected Version | How to fix |
---|---|---|
go/github.com/opentofu/opentofu | >=1.8.0<1.8.3 | 1.8.3 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.