PT-2021-22991 · Hashicorp · Hashicorp Terraform Enterprise

Published

2021-09-15

Updated

2022-07-12

CVE-2021-40862

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions HashiCorp Terraform Enterprise versions up to v202108-1

Description The issue concerns an API endpoint that incorrectly disclosed a sensitive URL to authenticated users. This could potentially be exploited for privilege escalation or to make unauthorized changes to a Terraform configuration.

Recommendations For HashiCorp Terraform Enterprise versions up to v202108-1, update to version v202109-1 or later to resolve the issue. As a temporary workaround, consider restricting access to the affected API endpoint to minimize the risk of exploitation.

Fix

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200

Related Identifiers

CVE-2021-40862

Affected Products

Hashicorp Terraform Enterprise

PT-2021-22991 · Hashicorp · Hashicorp Terraform Enterprise

CVE-2021-40862

Weakness Enumeration

Related Identifiers

Affected Products

References · 4