Privilege Escalation Risk in HashiCorp Terraform Enterprise
CVE-2021-40862

8.8HIGH

Key Information:

Vendor: Hashicorp
Status: Terraform Enterprise
Vendor: CVE Published:; 15 September 2021

Summary

HashiCorp Terraform Enterprise versions up to v202108-1 include an API endpoint that reveals sensitive URLs to authenticated users. This disclosure may allow attackers to exploit the information for privilege escalation or unauthorized modifications to Terraform configurations. The vulnerability was addressed in version v202109-1, which corrected the API functionality to prevent this sensitive information leak.

References

https://discuss.hashicorp.com/t/hcsec-2021-25-terraform-e...

x_refsource_MISC

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Sep 15, 2021
Vulnerability Reserved
Sep 10, 2021