阿里云漏洞库

漏洞描述

Terraform Enterprise since v202207-1 did not properly implement authorization rules for agent pools, allowing the workspace to be targeted by unauthorized agents. This authorization flaw could potentially allow a workspace to access resources from a separate, higher-privileged workspace in the same organization that targeted an agent pool. This vulnerability, CVE-2023-3114, is fixed in Terraform Enterprise v202306-1.

解决建议

"将组件 terraform_enterprise 升级至 202306-1 及以上版本"

参考链接
https://discuss.hashicorp.com/t/hcsec-2023-18-terraform-enterprise-agent-pool...

受影响软件情况

1
#	类型	厂商	产品	版本	影响面
	运行在以下环境
	应用	hashicorp	terraform_enterprise	*	From (including) 202207-1	Up to (excluding) 202306-1
	运行在以下环境
	系统	alma_linux_9	npm	*		Up to (excluding) 16.19.1-2.el9_2
	运行在以下环境
	系统	amazon_2	ecs-service-connect-agent	*		Up to (excluding) 1.amzn2
	运行在以下环境
	系统	amazon_2023	c-ares	*		Up to (excluding) 1.19.0-1.amzn2023
	运行在以下环境
	系统	fedora_37	c-ares	*		Up to (excluding) 1.19.1-1.fc37
	运行在以下环境
	系统	fedora_38	c-ares	*		Up to (excluding) 1.19.1-1.fc38
	运行在以下环境
	系统	opensuse_5.3	libcares2	*		Up to (excluding) 1.19.1-150000.3.23.1
	运行在以下环境
	系统	opensuse_Leap_15.4	npm16	*		Up to (excluding) 16.20.1-150400.3.21.1
	运行在以下环境
	系统	opensuse_Leap_15.5	npm18	*		Up to (excluding) 18.16.1-150400.9.9.1
	运行在以下环境
	系统	oracle_9	npm	*		Up to (excluding) 16.19.1-2.el9_2
	运行在以下环境
	系统	redhat_9	npm	*		Up to (excluding) 8.19.3-1.16.19.1.2.el9_2
	运行在以下环境
	系统	suse_12_SP5	libcares2	*		Up to (excluding) 1.9.1-9.12.1

攻击路径

网络
攻击复杂度

低
权限要求

低
影响范围

已更改
用户交互

无
可用性

无
保密性

高
完整性

无

CWE-ID	漏洞类型
CWE-863	授权机制不正确

HashiCorp Terraform 安全漏洞(CVE-2023-3114)

漏洞描述

解决建议

参考链接

受影响软件情况