Exposure of confidential secret or token HashiCorp Terraform API token

Description

The response body contains content that matches the pattern of a HashiCorp Terraform API token was identified. API tokens can be used to access the HCP Terraform API. A malicious actor with access to this token can perform all actions the user account is entitled to. Exposing this value could allow attackers to gain access to all resources granted by this token.

Remediation

For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on Credential exposure to the internet.

To revoke an API token:

• Sign in to the Terraform HCP console and access https://app.terraform.io/app/settings/tokens
• Find the token that was identified
• Select the trash icon on the right hand side of the token
• When prompted, select “Confirm” in the “Deleting token …” dialog

For more information, please see Terraform’s documentation on API tokens.

Details

Links

• CWE