CVE-2023-4782 – github.com/hashicorp/terraform

Package

Manager: go
Name: github.com/hashicorp/terraform
Vulnerable Version: >=1.0.8 <1.5.7

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:L/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:A/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00047 pctl0.14028

Details

Terraform allows arbitrary file write during the `init` operation Terraform version 1.0.8 through 1.5.6 allows arbitrary file write during the `init` operation if run on maliciously crafted Terraform configuration. This vulnerability is fixed in Terraform 1.5.7.

Metadata

Created: 2023-09-08T18:30:29Z
Modified: 2023-09-08T19:43:48Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-h626-pv66-hhm7/GHSA-h626-pv66-hhm7.json
CWE IDs: ["CWE-22"]
Alternative ID: GHSA-h626-pv66-hhm7
Finding: F063
Auto approve: 1