Описание
Terraform allows arbitrary file write during the init operation
Terraform version 1.0.8 through 1.5.6 allows arbitrary file write during the init operation if run on maliciously crafted Terraform configuration. This vulnerability is fixed in Terraform 1.5.7.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2023-4782
- https://github.com/hashicorp/terraform/pull/33745
- https://github.com/hashicorp/terraform/commit/0f2314fb62193c4be94328cc026fcb7ec1e9b893
- https://discuss.hashicorp.com/t/hcsec-2023-27-terraform-allows-arbitrary-file-write-during-init-operation/58082
- https://github.com/hashicorp/terraform/releases/tag/v1.5.7
Пакеты
github.com/hashicorp/terraform
>= 1.0.8, < 1.5.7
1.5.7
Связанные уязвимости
Terraform version 1.0.8 through 1.5.6 allows arbitrary file write during the `init` operation if run on maliciously crafted Terraform configuration. This vulnerability is fixed in Terraform 1.5.7.
Terraform version 1.0.8 through 1.5.6 allows arbitrary file write duri ...
Уязвимость программного обеспечения с открытым исходным кодом для управления внешними ресурсами Terraform, связанная с неверным ограничением имени пути к каталогу с ограниченным доступом, позволяющая нарушителю загрузить произвольные файлы
