cve,link,title,description,vendor,products,score,severity,epss,cisa,cisa_published,article,ransomware,exploited,exploited_date,poc,trended,trended_no_1,trended_no_1_date,published,trended_score
CVE-2023-4782,https://securityvulnerability.io/vulnerability/CVE-2023-4782,Terraform Allows Arbitrary File Write During Init Operation,Terraform version 1.0.8 through 1.5.6 allows arbitrary file write during the `init` operation if run on maliciously crafted Terraform configuration. This vulnerability is fixed in Terraform 1.5.7.,Hashicorp,Terraform,6.3,MEDIUM,0.0004400000034365803,false,,false,false,false,,,false,false,,2023-09-08T18:15:00.000Z,0
CVE-2023-3114,https://securityvulnerability.io/vulnerability/CVE-2023-3114,Terraform Enterprise Agent Pool Controls Allowed Unauthorized Workspaces To Target an Agent Pool,"Terraform Enterprise since v202207-1 did not properly implement authorization rules for agent pools, allowing the workspace to be targeted by unauthorized agents. This authorization flaw could potentially allow a workspace to access resources from a separate, higher-privileged workspace in the same organization that targeted an agent pool. This vulnerability, CVE-2023-3114, is fixed in Terraform Enterprise v202306-1.",Hashicorp,Terraform Enterprise,5,MEDIUM,0.0006099999882280827,false,,false,false,false,,,false,false,,2023-06-22T22:15:00.000Z,0
CVE-2022-25374,https://securityvulnerability.io/vulnerability/CVE-2022-25374,Sensitive Data Logging Exposure in HashiCorp Terraform Enterprise,"HashiCorp Terraform Enterprise versions 202112-1, 202112-2, 202201-1, and 202201-2 were found to log inbound HTTP requests in a way that might expose sensitive information, potentially leading to unauthorized access to data. This issue has been addressed in version 202202-1, which mitigates the risk by altering the logging configuration to prevent sensitive information from being captured.",Hashicorp,Terraform Enterprise,7.5,HIGH,0.0017800000496208668,false,,false,false,false,,,false,false,,2022-02-25T12:25:04.000Z,0
CVE-2021-40862,https://securityvulnerability.io/vulnerability/CVE-2021-40862,Privilege Escalation Risk in HashiCorp Terraform Enterprise,"HashiCorp Terraform Enterprise versions up to v202108-1 include an API endpoint that reveals sensitive URLs to authenticated users. This disclosure may allow attackers to exploit the information for privilege escalation or unauthorized modifications to Terraform configurations. The vulnerability was addressed in version v202109-1, which corrected the API functionality to prevent this sensitive information leak.",Hashicorp,Terraform Enterprise,8.8,HIGH,0.0010400000028312206,false,,false,false,false,,,false,false,,2021-09-15T18:03:45.000Z,0
CVE-2021-36230,https://securityvulnerability.io/vulnerability/CVE-2021-36230,Privilege Escalation Vulnerability in HashiCorp Terraform Enterprise,"HashiCorp Terraform Enterprise prior to version 202107-1 was susceptible to a privilege escalation vulnerability due to inadequate authorization checks for certain API requests executed using run tokens. This flaw allowed attackers to exploit the API and elevate their privileges to become organization owners, potentially leading to unauthorized access and control over sensitive resources. Users are strongly advised to upgrade to the latest version, v202107-1, to mitigate this security risk.",Hashicorp,Terraform,8.8,HIGH,0.0010400000028312206,false,,false,false,false,,,false,false,,2021-07-20T20:53:26.000Z,0
CVE-2021-30476,https://securityvulnerability.io/vulnerability/CVE-2021-30476,Configuration Vulnerability in HashiCorp Terraform's Vault Provider,"The Vault Provider for HashiCorp Terraform contained a configuration flaw that improperly set up GCE-type bound labels for its GCP authentication method. This misconfiguration could lead to unauthorized access or manipulation of sensitive data. The issue was rectified in version 2.19.1, highlighting the importance of staying updated to mitigate potential risks associated with misconfigured cloud security settings.",Hashicorp,Terraform Provider,9.8,CRITICAL,0.00774999987334013,false,,false,false,false,,,false,false,,2021-04-22T16:23:20.000Z,0
CVE-2021-3153,https://securityvulnerability.io/vulnerability/CVE-2021-3153,Two-Factor Authentication Bypass in HashiCorp Terraform Enterprise,"The vulnerability affects HashiCorp Terraform Enterprise versions up to v202102-2, where an organization-level setting meant to enforce two-factor authentication for users was not properly implemented. As a result, users operating within organizations could potentially access the system without enabling two-factor authentication, undermining the security measures intended to protect sensitive data. This flaw was addressed in version v202103-1, which enforced the two-factor authentication requirement correctly.",Hashicorp,Terraform Enterprise,6.5,MEDIUM,0.000539999979082495,false,,false,false,false,,,false,false,,2021-03-26T02:51:57.000Z,0
CVE-2020-15511,https://securityvulnerability.io/vulnerability/CVE-2020-15511,User Registration Bypass in HashiCorp Terraform Enterprise,"HashiCorp Terraform Enterprise versions up to v202006-1 contain a vulnerability that allows users to register on the platform even when the registration feature is disabled. This occurs due to a default signup page that does not enforce SAML authentication protocols, resulting in potential unauthorized access to the system. The issue has been addressed and resolved in version v202007-1.",Hashicorp,Terraform Enterprise,5.3,MEDIUM,0.0008099999977275729,false,,false,false,false,,,false,false,,2020-07-30T13:15:50.000Z,0
CVE-2019-19316,https://securityvulnerability.io/vulnerability/CVE-2019-19316,,"When using the Azure backend with a shared access signature (SAS), Terraform versions prior to 0.12.17 may transmit the token and state snapshot using cleartext HTTP.",Hashicorp,Terraform,7.5,HIGH,0.0014100000262260437,false,,false,false,false,,,false,false,,2019-12-02T20:50:44.000Z,0
CVE-2018-9057,https://securityvulnerability.io/vulnerability/CVE-2018-9057,,"aws/resource_aws_iam_user_login_profile.go in the HashiCorp Terraform Amazon Web Services (AWS) provider through v1.12.0 has an inappropriate PRNG algorithm and seeding, which makes it easier for remote attackers to obtain access by leveraging an IAM account that was provisioned with a weak password.",Hashicorp,Terraform,9.8,CRITICAL,0.006829999852925539,false,,false,false,false,,,false,false,,2018-03-27T18:00:00.000Z,0