CVE-2023-4782 — Path Traversal in Hashicorp Terraform

CWE-22 — Path Traversal6 documents5 sources

Severity

7.8HIGHNVD

EPSS

0.1%

top 84.01%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Hashicorp Terraform Hashicorp Terraform Msrc Cbl2 Terraform 1.3.2-19 ON CBL Mariner 2.0 +2 more

Timeline

PublishedSep 8

Latest updateJan 15

Description

Terraform version 1.0.8 through 1.5.6 allows arbitrary file write during the `init` operation if run on maliciously crafted Terraform configuration. This vulnerability is fixed in Terraform 1.5.7.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages5 packages

▶NVDhashicorp/terraform1.0.8 — 1.5.7

▶Gogithub.com/hashicorp_terraform1.0.8 — 1.5.7

▶msrcmsrc/cbl2_terraform_1.3.2-19_on_cbl_mariner_2.0

▶msrcmsrc/cbl_mariner_2.0_arm

▶msrcmsrc/cbl_mariner_2.0_x64

🔴Vulnerability Details

OSV

Terraform allows arbitrary file write during the `init` operation in github.com/hashicorp/terraform↗2024-08-21

▶

OSV

Terraform allows arbitrary file write during the `init` operation↗2023-09-08

▶

GHSA

Terraform allows arbitrary file write during the `init` operation↗2023-09-08

▶

📋Vendor Advisories

Oracle

Oracle Oracle JD Edwards Risk Matrix: E1 Dev Platform Tech - Cloud (Terraform) — CVE-2023-4782↗2025-01-15

▶

Microsoft

Terraform Allows Arbitrary File Write During Init Operation↗2023-09-12

▶