CVE-2021-36230 — Vulnetix

CVE-2021-36230 PUBLISHED CVSS 8.800000190734863 HIGH

HashiCorp Terraform Enterprise releases up to v202106-1 did not properly perform authorization checks on a subset of API requests executed using the run token, allowing privilege escalation to organization owner. Fixed in v202107-1.

EPSS 0.41% · 61.9th percentile

Risk Scores

CVSS v3.1

8.800000190734863

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score

0.41%

61.9th percentile

Affected Products

Vendor	Product	Versions
hashicorp	terraform	0
n/a	n/a	n/a

Timeline

Jul 20, 2021 CVE Published
Jul 21, 2021 EPSS Score
Sep 18, 2021 EPSS Score
Nov 17, 2021 EPSS Score
Jan 6, 2022 EPSS Score
Jan 15, 2022 EPSS Score
Mar 15, 2022 EPSS Score
Apr 1, 2022 EPSS Score
May 14, 2022 EPSS Score
Jul 12, 2022 EPSS Score
Sep 10, 2022 EPSS Score
Nov 9, 2022 EPSS Score

References

https://www.hashicorp.com/blog/category/terraform/ url
https://discuss.hashicorp.com/t/hcsec-2021-18-terraform-enterprise-allowed-privilege-escalation-via-run-token/27070 url
https://nvd.nist.gov/vuln/detail/CVE-2021-36230 advisory
https://www.hashicorp.com/blog/category/terraform url

Open in Interactive Console →