+ "details": "### Impact\nThe Terraform Provider for Linode versions prior to v3.9.0 logged sensitive information including some passwords, StackScript content, object storage data, and NodeBalancer TLS keys in debug logs without redaction.\n\n**Important:** Provider debug logging is **not enabled by default**. \nThis issue is exposed when debug/provider logs are explicitly enabled (for example in local troubleshooting, CI/CD jobs, or centralized log collection). If enabled, sensitive values may be written to logs and then retained, shared, or exported beyond the original execution environment.\n\nSpecifically:\n- Instance creation operations logged the full InstanceCreateOptions struct containing RootPass and StackScriptData\n- Instance disk creation logged InstanceDiskCreateOptions containing RootPass and StackscriptData\n- StackScript update operations logged the complete script content via StackscriptUpdateOptions.Script\n- Image share group member creation logged tokens in ImageShareGroupAddMemberOptions.Token\n- Object storage operations logged full PutObjectInput structures containing user data\n- NodeBalancer config create and update operations logged NodeBalancerConfigCreateOptions and NodeBalancerConfigUpdateOptions containing the SSLKey (TLS private key)\n\nAn authenticated user with access to provider debug logs (through log aggregation systems, CI/CD pipelines, or debug output) would thus be able to extract these sensitive credentials.\n\n### Patches\nUpdate to version v3.9.0 or later, which sanitizes debug logs by logging only non-sensitive metadata such as labels, regions, and resource IDs while redacting credentials, tokens, keys, scripts, and other sensitive content.\n\n### Workarounds and Mitigations\n- Disable Terraform/provider debug logging or set it to `WARN` level or above\n - To disable the logging, you can unset `TF_LOG_PROVIDER` and `TF_LOG` environment variables\n - Or you can set them to `WARN` or `ERROR` levels to avoid sensitive information logged in `INFO` and `DEBUG` levels.\n - See Terraform docs for details: https://developer.hashicorp.com/terraform/internals/debugging\n- Restrict access to existing and historical logs\n- Purge/retention-trim logs that may contain sensitive values\n- Rotate potentially exposed secrets/credentials, including:\n - Root passwords\n - Image share group tokens\n - TLS private keys/certificates used in NodeBalancer configs\n - StackScript content/secrets if embedded\n\n### Credits\nThis issue was reported to Terraform by Hasan Sheet via [Akamai's HackerOne Bug Bounty program](https://hackerone.com/akamai).\n\n### Resources\nhttps://github.com/linode/terraform-provider-linode/releases/tag/v3.9.0\nhttps://github.com/linode/terraform-provider-linode/pull/2269\nhttps://github.com/linode/terraform-provider-linode/commit/43a925d826b999f0355de3dc7330c55f496824c0",
![advisory-database[bot]](https://avatars.githubusercontent.com/in/21409?v=4&size=40){kind=avatar}
0 commit comments