CVE-2023-3114 — Incorrect Privilege Assignment in Terraform Enterprise

CWE-266 — Incorrect Privilege Assignment CWE-863 — Incorrect Authorization2 documents2 sources

Severity

7.7HIGHNVD

EPSS

0.2%

top 56.46%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Hashicorp Terraform Enterprise

Timeline

PublishedJun 22

Latest updateJun 23

Description

Terraform Enterprise since v202207-1 did not properly implement authorization rules for agent pools, allowing the workspace to be targeted by unauthorized agents. This authorization flaw could potentially allow a workspace to access resources from a separate, higher-privileged workspace in the same organization that targeted an agent pool. This vulnerability, CVE-2023-3114, is fixed in Terraform Enterprise v202306-1.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:NExploitability: 3.1 | Impact: 4.0

Affected Packages2 packages

▶CVEListV5hashicorp/terraform_enterprisev202207-1 — v202306-1

▶NVDhashicorp/terraform_enterprise202207-1 — 202306-1

🔴Vulnerability Details

GHSA

GHSA-fhmj-jv7w-vvg2: Terraform Enterprise since v202207-1 did not properly implement authorization rules for agent pools, allowing the workspace to be targeted by unauthor↗2023-06-23

▶