Terraform HashiCorp Terraform

stack.watch can email you when security vulnerabilities are reported in HashiCorp Terraform. You can add multiple products that you use with Terraform to create your own personal software stack watcher.

By the Year

In 2021 there have been 0 vulnerabilities in HashiCorp Terraform . Terraform did not have any published security vulnerabilities last year.

Year Vulnerabilities Average Score
2021 0 0.00
2020 0 0.00
2019 1 7.50
2018 1 9.80

It may take a day or so for new Terraform vulnerabilities to show up. Additionally vulnerabilities may be tagged under a different product or component name.

Latest HashiCorp Terraform Security Vulnerabilities

When using the Azure backend with a shared access signature (SAS)

CVE-2019-19316 7.5 - High - December 02, 2019

When using the Azure backend with a shared access signature (SAS), Terraform versions prior to 0.12.17 may transmit the token and state snapshot using cleartext HTTP.

CVE-2019-19316 is exploitable with network access, and does not require authorization privledges or user interaction. This vulnerability is considered to have a low attack complexity. It has the highest possible exploitability rating (3.9). The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.

Use of a Broken or Risky Cryptographic Algorithm

aws/resource_aws_iam_user_login_profile.go in the HashiCorp Terraform Amazon Web Services (AWS) provider through v1.12.0 has an inappropriate PRNG algorithm and seeding, which makes it easier for remote attackers to obtain access by leveraging an IAM account

CVE-2018-9057 9.8 - Critical - March 27, 2018

aws/resource_aws_iam_user_login_profile.go in the HashiCorp Terraform Amazon Web Services (AWS) provider through v1.12.0 has an inappropriate PRNG algorithm and seeding, which makes it easier for remote attackers to obtain access by leveraging an IAM account that was provisioned with a weak password.

CVE-2018-9057 can be explotited with network access, and does not require authorization privledges or user interaction. This vulnerability is considered to have a low attack complexity. It has the highest possible exploitability rating (3.9). The potential impact of an exploit of this vulnerability is considered to be critical as this vulneraility has a high impact to the confidentiality, integrity and availability of this component.

Insufficient Entropy in PRNG