Main Vulnerability Database Vulnerabilities #VU98805

Path traversal in Terraform - CVE-2023-4782

Published: October 18, 2024

Vulnerability identifier: #VU98805

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2023-4782

CWE-ID: CWE-22

Exploitation vector: Local access

Exploit availability: No public exploit available

Vendor: HashiCorp

Affected software:
Terraform

Detailed vulnerability description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to input validation error when processing directory traversal sequences during the "init" operation if run on maliciously crafted Terraform configuration. A local user can overwrite arbitrary files on the system and escalate privileges.

How to mitigate CVE-2023-4782

Install update from vendor's website.

Sources

https://discuss.hashicorp.com/t/hcsec-2023-27-terraform-allows-arbitrary-file-write-during-init-operation/58082

Path traversal in Terraform - CVE-2023-4782

Detailed vulnerability description

How to mitigate CVE-2023-4782

Sources

Please verify you're human