CVE-2023-30618: 
Ruby vulnerability analysis and mitigation

Kitchen-Terraform version 7.0.0 introduced a regression vulnerability (CVE-2023-30618) that exposed sensitive Terraform output values at the info logging level during the 'kitchen converge' action. The vulnerability was discovered on April 21, 2023, affecting Kitchen-Terraform versions 7.0.0 and 7.0.1. Prior to version 7.0.0, output values were properly printed at the debug level to prevent sensitive values from being displayed in the terminal by default (GitHub Advisory).

The vulnerability is characterized by a CVSS v3.1 base score of 3.2 (Low severity) with the following vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N. The issue stems from an inappropriate implementation in the debug connection logger initialization during the 'kitchen converge' operation, which caused all Terraform output values, including sensitive data, to be logged at the info level instead of the intended debug level (NVD).

The vulnerability could lead to the exposure of sensitive information as all Terraform output values, including those marked as sensitive, would be visible in the default logging output. This exposure occurs during the 'kitchen converge' action, potentially revealing confidential configuration data to anyone with access to the logs (GitHub Advisory).

Users are advised to upgrade to Kitchen-Terraform version 7.0.2 or later, which fixes the debug connection logging issue. The fix ensures that sensitive output values are properly logged at the debug level instead of the info level. There are no known workarounds for this vulnerability other than upgrading to a patched version (GitHub Patch).