CVE-2019-19316

CVSS v4.0

8.2

High

Vector

AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Terraform versions prior to 0.12.17

Description The issue concerns the transmission of sensitive data in cleartext HTTP when using the Azure backend with a shared access signature (SAS) in Terraform. This affects the github.com/hashicorp/terraform/backend/remote-state/azure package. The problem involves the use of a broken or risky cryptographic algorithm.

Recommendations For Terraform versions prior to 0.12.17, update to version 0.12.17 or later to resolve the issue. As a temporary workaround, consider disabling the use of cleartext HTTP for transmitting the token and state snapshot until a patch is available. Restrict access to the Azure backend with a shared access signature (SAS) to minimize the risk of exploitation.

Fix

Cleartext Transmission of Sensitive Information

RCE

Use of a Broken Cryptographic Algorithm

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-319CWE-20CWE-327

Related Identifiers

CVE-2019-19316

GHSA-4RVG-555H-R626

GHSA-H3P9-WRGX-82CM

GO-2022-0839

OPENSUSE-SU-2024:11429-1

SUSE-SU-2020:0320-1

SUSE-SU-2020_0320-1

Affected Products

Suse

Terraform

CVE-2019-19316

Weakness Enumeration

Related Identifiers

Affected Products

References · 15