HashiCorp Terraform Enterprise
By the Year
In 2023 there have been 1 vulnerability in HashiCorp Terraform Enterprise with an average score of 7.7 out of ten. Last year Terraform Enterprise had 1 security vulnerability published. At the current rates, it appears that the number of vulnerabilities last year and this year may equal out. However, the average CVE base score of the vulnerabilities in 2023 is greater by 0.20.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2023 | 1 | 7.70 |
| 2022 | 1 | 7.50 |
| 2021 | 2 | 7.65 |
| 2020 | 0 | 0.00 |
| 2019 | 0 | 0.00 |
| 2018 | 0 | 0.00 |
It may take a day or so for new Terraform Enterprise vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent HashiCorp Terraform Enterprise Security Vulnerabilities
Terraform Enterprise since v202207-1 did not properly implement authorization rules for agent pools
CVE-2023-3114
7.7 - High
- June 22, 2023
Terraform Enterprise since v202207-1 did not properly implement authorization rules for agent pools, allowing the workspace to be targeted by unauthorized agents. This authorization flaw could potentially allow a workspace to access resources from a separate, higher-privileged workspace in the same organization that targeted an agent pool. This vulnerability, CVE-2023-3114, is fixed in Terraform Enterprise v202306-1.
AuthZ
HashiCorp Terraform Enterprise v202112-1, v202112-2, v202201-1, and v202201-2 were configured to log inbound HTTP requests in a manner
CVE-2022-25374
7.5 - High
- February 25, 2022
HashiCorp Terraform Enterprise v202112-1, v202112-2, v202201-1, and v202201-2 were configured to log inbound HTTP requests in a manner that may capture sensitive data. Fixed in v202202-1.
Insertion of Sensitive Information into Log File
HashiCorp Terraform Enterprise up to v202108-1 contained an API endpoint
CVE-2021-40862
8.8 - High
- September 15, 2021
HashiCorp Terraform Enterprise up to v202108-1 contained an API endpoint that erroneously disclosed a sensitive URL to authenticated parties, which could be used for privilege escalation or unauthorized modification of a Terraform configuration. Fixed in v202109-1.
Information Disclosure
HashiCorp Terraform Enterprise up to v202102-2 failed to enforce an organization-level setting
CVE-2021-3153
6.5 - Medium
- March 26, 2021
HashiCorp Terraform Enterprise up to v202102-2 failed to enforce an organization-level setting that required users within an organization to have two-factor authentication enabled. Fixed in v202103-1.
authentification
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for HashiCorp Terraform Enterprise or by HashiCorp? Click the Watch button to subscribe.
