Bug 1215194 (CVE-2023-4782)

Summary: VUL-0: CVE-2023-4782: terraform: Terraform version 1.0.8 through 1.5.6 allows arbitrary file write during the `init` operation if run on maliciously crafted Terraform configuration
Product: [Novell Products] SUSE Security Incidents Reporter: Gianluca Gabrielli <gianluca.gabrielli>
Component: IncidentsAssignee: Terraform Maintainers <terraform-maintainers>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/377755/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Gianluca Gabrielli 2023-09-11 07:14:51 UTC 
Terraform version 1.0.8 through 1.5.6 allows arbitrary file write during the
`init` operation if run on maliciously crafted Terraform configuration. This
vulnerability is fixed in Terraform 1.5.7.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-4782
https://www.cve.org/CVERecord?id=CVE-2023-4782
https://discuss.hashicorp.com/t/hcsec-2023-27-terraform-allows-arbitrary-file-write-during-init-operation/58082
Comment 1 Gianluca Gabrielli 2023-09-11 07:20:42 UTC 
According to the affected versions none of the SLE based products are affected since we ship the following too old (not affected) versions:

- SUSE:SLE-15-SP1:Update v0.13.4
- SUSE:SLE-15-SP1:Update:Products:CASP40:Update v0.12.19
- SUSE:SLE-15-SP2:Update v0.13.4

openSUSE:Factory/terraform instead requires a version bump to v1.5.7 or this patch [0] should be backported.


[0] https://github.com/hashicorp/terraform/commit/0f2314fb62193c4be94328cc026fcb7ec1e9b893