exploitDog

CVE-2025-13432

Опубликовано: 21 нояб. 2025

Источник: nvd

CVSS3: 4.3

EPSS Низкий

Описание

Terraform state versions can be created by a user with specific but insufficient permissions in a Terraform Enterprise workspace. This may allow for the alteration of infrastructure if a subsequent plan operation is approved by a user with approval permission or auto-applied. This vulnerability, CVE-2025-13432, is fixed in Terraform Enterprise version 1.1.1 and 1.0.3.

Ссылки

https://discuss.hashicorp.com/t/hcsec-2025-34-terraform-enterprise-state-versions-can-be-created-by-users-without-sufficient-write-access/76821
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:hashicorp:terraform:*:*:*:*:enterprise:*:*:*

Версия от 1.0.0 (включая) до 1.0.3 (исключая)

cpe:2.3:a:hashicorp:terraform:1.1.0:*:*:*:enterprise:*:*:*

EPSS

Процентиль: 10%

0.00034

Низкий

4.3 Medium

CVSS3

Дефекты

CWE-863

Связанные уязвимости

GHSA-3m8w-h8mm-xqvp

CVSS3: 4.3

github

3 месяца назад

Terraform state versions can be created by a user with specific but insufficient permissions in a Terraform Enterprise workspace. This may allow for the alteration of infrastructure if a subsequent plan operation is approved by a user with approval permission or auto-applied. This vulnerability, CVE-2025-13432, is fixed in Terraform Enterprise version 1.1.1 and 1.0.3.

EPSS

Процентиль: 10%

0.00034

Низкий

4.3 Medium

CVSS3

Дефекты

CWE-863