Bug 1212647 (CVE-2023-3114) - VUL-0: CVE-2023-3114: terraform: Terraform Enterprise since v202207-1 did not properly implement authorization rules for agent pools
Summary: VUL-0: CVE-2023-3114: terraform: Terraform Enterprise since v202207-1 did not...
Status: RESOLVED INVALID
Alias: CVE-2023-3114
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P5 - None : Normal
Target Milestone: ---
Assignee: Alexander Osthof
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/370244/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-06-23 09:55 UTC by Cathy Hu
Modified: 2023-06-23 09:58 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Cathy Hu 2023-06-23 09:55:38 UTC 
CVE-2023-3114

Terraform Enterprise since v202207-1 did not properly implement authorization
rules for agent pools, allowing the workspace to be targeted by unauthorized
agents. This authorization flaw could potentially allow a workspace to access
resources from a separate, higher-privileged workspace in the same organization
that targeted an agent pool. This vulnerability, CVE-2023-3114, is fixed in
Terraform Enterprise v202306-1.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3114
https://www.cve.org/CVERecord?id=CVE-2023-3114
http://www.cvedetails.com/cve/CVE-2023-3114/
https://discuss.hashicorp.com/t/hcsec-2023-18-terraform-enterprise-agent-pool-controls-allowed-unauthorized-workspaces-to-target-an-agent-pool/55329
Comment 1 Cathy Hu 2023-06-23 09:58:13 UTC 
only affects enterprise version, closing invalid