Bug 1215194 (CVE-2023-4782) - VUL-0: CVE-2023-4782: terraform: Terraform version 1.0.8 through 1.5.6 allows arbitrary file write during the `init` operation if run on maliciously crafted Terraform configuration
Summary: VUL-0: CVE-2023-4782: terraform: Terraform version 1.0.8 through 1.5.6 allows...
Status: NEW
Alias: CVE-2023-4782
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Terraform Maintainers
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/377755/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-09-11 07:14 UTC by Gianluca Gabrielli
Modified: 2023-09-12 07:49 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Gianluca Gabrielli 2023-09-11 07:14:51 UTC 
Terraform version 1.0.8 through 1.5.6 allows arbitrary file write during the
`init` operation if run on maliciously crafted Terraform configuration. This
vulnerability is fixed in Terraform 1.5.7.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-4782
https://www.cve.org/CVERecord?id=CVE-2023-4782
https://discuss.hashicorp.com/t/hcsec-2023-27-terraform-allows-arbitrary-file-write-during-init-operation/58082
Comment 1 Gianluca Gabrielli 2023-09-11 07:20:42 UTC 
According to the affected versions none of the SLE based products are affected since we ship the following too old (not affected) versions:

- SUSE:SLE-15-SP1:Update v0.13.4
- SUSE:SLE-15-SP1:Update:Products:CASP40:Update v0.12.19
- SUSE:SLE-15-SP2:Update v0.13.4

openSUSE:Factory/terraform instead requires a version bump to v1.5.7 or this patch [0] should be backported.


[0] https://github.com/hashicorp/terraform/commit/0f2314fb62193c4be94328cc026fcb7ec1e9b893