Terraform 1.0.8 through 1.5.6 allows arbitrary file write during the
init operation if run on maliciously crafted Terraform configuration. This vulnerability, CVE-2023-4782, was fixed in Terraform 1.5.7. The original security bulletin is here.
The core Terraform workflow uses 3 main operations;
The Terraform init operation initializes a working directory containing Terraform configuration files, downloading the required modules and providers for subsequent plan and apply operations.
While both the
apply operations are intended to execute the user-supplied Terraform configuration,
init is intended only to be used for installing dependencies specified in the Terraform configuration.
An external party reported that it was possible to coerce Terraform into writing arbitrary files during the
init operation by supplying a maliciously crafted Terraform configuration.
Terraform considers the provided Terraform configuration to be trusted when executing plan and apply, and does not attempt to defend against malicious modules and providers when executing these operations. By contrast,
init is intended to be a safer operation, allowing users to review the installed modules and providers prior to executing
Exposure associated with this issue will depend on the environment in which Terraform is being executed and, for many deployments, may present minimal additional risk. In order for this vulnerability to pose a privilege escalation risk, the following conditions must be met:
initis run on untrusted Terraform configuration, or Terraform configuration containing untrusted modules.
- The Terraform user is relying on security validations performed on the dependencies installed by Terraform
initprior to running the Terraform
Terraform Cloud and Terraform Enterprise combine the
plan operations during Terraform runs, so this issue does not break the documented security model. Recommendations for secure use, specifically regarding use of trusted providers / modules and control of access to configuration source code, remain applicable.
Customers should evaluate the risk associated with this issue, specifically with the conditions above in mind, and consider upgrading to Terraform 1.5.7 or newer.