CVE-2021-36230 - HashiCorp Terraform Enterprise releases up to v202106-1 did not properly perform authorization check

CVE-2021-36230

Summary

HashiCorp Terraform Enterprise releases up to v202106-1 did not properly perform authorization checks on a subset of API requests executed using the run token, allowing privilege escalation to organization owner. Fixed in v202107-1.

References

https://www.hashicorp.com/blog/category/terraform/
https://discuss.hashicorp.com/t/hcsec-2021-18-terraform-enterprise-allowed-privilege-escalation-via-run-token/27070

Vulnerable Configurations

cpe:2.3:a:hashicorp:terraform:*:*:*:*:*:enterprise:*:*
cpe:2.3:a:hashicorp:terraform:*:*:*:*:*:enterprise:*:*

CVSS

Base:	6.5 (as of 29-07-2021 - 19:11)
Impact:
Exploitability:

CWE

CWE-863

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	LOW	SINGLE

Impact

Confidentiality	Integrity	Availability
PARTIAL	PARTIAL	PARTIAL

cvss-vector via4

AV:N/AC:L/Au:S/C:P/I:P/A:P

Last major update

29-07-2021 - 19:11

Published

20-07-2021 - 21:15

Last modified

29-07-2021 - 19:11