Bug 1212647 (CVE-2023-3114)

Summary: VUL-0: CVE-2023-3114: terraform: Terraform Enterprise since v202207-1 did not properly implement authorization rules for agent pools
Product: [Novell Products] SUSE Security Incidents Reporter: Cathy Hu <cathy.hu>
Component: IncidentsAssignee: Alexander Osthof <aosthof>
Status: RESOLVED INVALID QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P5 - None CC: security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/370244/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Cathy Hu 2023-06-23 09:55:38 UTC 
CVE-2023-3114

Terraform Enterprise since v202207-1 did not properly implement authorization
rules for agent pools, allowing the workspace to be targeted by unauthorized
agents. This authorization flaw could potentially allow a workspace to access
resources from a separate, higher-privileged workspace in the same organization
that targeted an agent pool. This vulnerability, CVE-2023-3114, is fixed in
Terraform Enterprise v202306-1.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3114
https://www.cve.org/CVERecord?id=CVE-2023-3114
http://www.cvedetails.com/cve/CVE-2023-3114/
https://discuss.hashicorp.com/t/hcsec-2023-18-terraform-enterprise-agent-pool-controls-allowed-unauthorized-workspaces-to-target-an-agent-pool/55329
Comment 1 Cathy Hu 2023-06-23 09:58:13 UTC 
only affects enterprise version, closing invalid