CVE-2024-47083

Name of the Vulnerable Software and Affected Versions Power Platform Terraform Provider versions prior to 3.0.0

Description The Power Platform Terraform Provider has an issue where sensitive information, specifically the client secret used in the service principal authentication, may be exposed in logs due to an error in the logging code. This exposure occurs when logs are persisted or viewed, causing the client secret to not be properly masked. Users should upgrade to version 3.0.0 to receive a patched version of the provider that removes all logging of sensitive content. To mitigate the risk, users who have used this provider with the affected versions should immediately rotate the client secret for any service principal that has been configured using this Terraform provider.

Recommendations Upgrade to version 3.0.0 to receive a patched version of the provider. Immediately rotate the client secret for any service principal that has been configured using this Terraform provider. Consider disabling the TF LOG PATH environment variable or Terraform log persistence to a file or an external system until a fixed version of the provider is updated. Remove or sanitize existing logs that may contain the client secret to prevent unauthorized access.