CVE-2021-36230 — Incorrect Authorization in Terraform

CWE-863 — Incorrect Authorization4 documents4 sources

Severity

8.8HIGHNVD

OSV7.5

EPSS

0.2%

top 55.63%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Hashicorp Terraform Openldap Msrc Cbl2 Terraform 1.3.2-1 ON CBL Mariner 2.0 +2 more

Timeline

PublishedJul 20

Latest updateAug 24

Description

HashiCorp Terraform Enterprise releases up to v202106-1 did not properly perform authorization checks on a subset of API requests executed using the run token, allowing privilege escalation to organization owner. Fixed in v202107-1.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages5 packages

▶NVDhashicorp/terraform< 202107-1

▶msrcmsrc/cbl2_terraform_1.3.2-1_on_cbl_mariner_2.0

▶Ubuntuopenldap/openldap< 2.4.31-1+nmu2ubuntu8.5+esm8

▶msrcmsrc/cbl_mariner_2.0_arm

▶msrcmsrc/cbl_mariner_2.0_x64

🔴Vulnerability Details

OSV

openldap vulnerabilities↗2025-08-24

▶

GHSA

GHSA-6cgg-f8v8-8rxw: HashiCorp Terraform Enterprise releases up to v202106-1 did not properly perform authorization checks on a subset of API requests executed using the r↗2022-05-24

▶

📋Vendor Advisories

Microsoft

HashiCorp Terraform Enterprise releases up to v202106-1 did not properly perform authorization checks on a subset of API requests executed using the run token allowing privilege escalation to organiza↗2021-07-13

▶