PT-2019-15807 · Hashicorp+1 · Terraform+1

Phekmat

Publicado

2019-12-02

Atualizado

2024-08-21

CVE-2019-19316

CVSS v4.0

8.2

Alta

Vetor

AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Terraform versions prior to 0.12.17

Description The issue concerns the transmission of sensitive data in cleartext HTTP when using the Azure backend with a shared access signature (SAS) in Terraform. This affects the github.com/hashicorp/terraform/backend/remote-state/azure package. The problem involves the use of a broken or risky cryptographic algorithm.

Recommendations For Terraform versions prior to 0.12.17, update to version 0.12.17 or later to resolve the issue. As a temporary workaround, consider disabling the use of cleartext HTTP for transmitting the token and state snapshot until a patch is available. Restrict access to the Azure backend with a shared access signature (SAS) to minimize the risk of exploitation.

Correção

Cleartext Transmission of Sensitive Information

RCE

Use of a Broken Cryptographic Algorithm

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-319CWE-20CWE-327

Identificadores relacionados

CVE-2019-19316

GHSA-4RVG-555H-R626

GHSA-H3P9-WRGX-82CM

GO-2022-0839

OPENSUSE-SU-2024:11429-1

SUSE-SU-2020:0320-1

SUSE-SU-2020_0320-1

Produtos afetados

Suse

Terraform

PT-2019-15807 · Hashicorp+1 · Terraform+1

CVE-2019-19316

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 15