Configuration Vulnerability in HashiCorp Terraform's Vault Provider
CVE-2021-30476

9.8CRITICAL

Key Information:

Vendor: Hashicorp
Status: Terraform Provider
Vendor: CVE Published:; 22 April 2021

Summary

The Vault Provider for HashiCorp Terraform contained a configuration flaw that improperly set up GCE-type bound labels for its GCP authentication method. This misconfiguration could lead to unauthorized access or manipulation of sensitive data. The issue was rectified in version 2.19.1, highlighting the importance of staying updated to mitigate potential risks associated with misconfigured cloud security settings.

References

https://github.com/hashicorp/terraform-provider-vault/iss...

x_refsource_MISC

https://discuss.hashicorp.com/t/hcsec-2021-11-terraform-s...

x_refsource_CONFIRM

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 22, 2021
Vulnerability Reserved
Apr 8, 2021