HCSEC-2023-27

**Bulletin ID:** HCSEC-2023-27 **Affected Products / Versions:** Terraform 1.0.8 through 1.5.6; fixed in 1.5.7. **Publication Date:** September 8, 2023 **Summary** Terraform 1.0.8 through 1.5.6 allows arbitrary file write during the `init` operation if run on maliciously crafted Terraform configuration. This vulnerability, CVE-2023-4782, was fixed in Terraform 1.5.7. **Background** The [core Terraform workflow](https://developer.hashicorp.com/terraform/tutorials/cli/plan) uses 3 main operations; `init`, `plan`, and `apply`. The Terraform [init](https://developer.hashicorp.com/terraform/cli/commands/init) operation initializes a working directory containing Terraform configuration files, downloading the required modules and providers for subsequent plan and apply operations. While both the `plan` and `apply` operations are intended to execute the user-supplied Terraform configuration, `init` is intended only to be used for installing dependencies specified in the Terraform configuration. **Details** An external party reported that it was possible to coerce Terraform into writing arbitrary files during the `init` operation by supplying a maliciously crafted Terraform configuration. Terraform considers the provided Terraform configuration to be trusted when executing plan and apply, and does not attempt to defend against malicious modules and providers when executing these operations. By contrast, `init` is intended to be a safer operation, allowing users to review the installed modules and providers prior to executing `plan` or `apply`. Exposure associated with this issue will depend on the environment in which Terraform is being executed and, for many deployments, may present minimal additional risk. In order for this vulnerability to pose a privilege escalation risk, the following conditions must be met: 1. Terraform `init` is run on untrusted Terraform configuration, or Terraform configuration containing untrusted modules. 2. The Terraform user is relying on security validations performed on the dependencies installed by Terraform `init` prior to running the Terraform `plan` or `apply` operations. Terraform Cloud and Terraform Enterprise combine the `init` and `plan` operations during Terraform runs, so this issue does not break the documented [security model](https://developer.hashicorp.com/terraform/cloud-docs/architectural-details/security-model). Recommendations for secure use, specifically regarding use of trusted providers / modules and control of access to configuration source code, remain applicable. **Remediation** Customers should evaluate the risk associated with this issue, specifically with the conditions above in mind, and consider upgrading to Terraform 1.5.7 or newer. **Acknowledgement** HashiCorp thanks Lum14n of Eagle Cloud Security Technology for the discovery of this issue. *We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see [https://hashicorp.com/security](https://hashicorp.com/security).*