Context
Terraform Enterprise provides single sign-on (SSO) functionality via optional SAML integration with an identity provider. This is implemented using the Ruby SAML library, which disclosed an authentication bypass vulnerability exploitable by an XML signature wrapping attack, CVE-2024-45409.
HashiCorp’s internal testing, targeting an SSO-enabled Terraform Enterprise deployment, has not confirmed exploitability at this time. However, the version of the Ruby SAML library in use by Terraform Enterprise has been upgraded to a newer release in which the vulnerability has been addressed in in Terraform Enterprise release v202409-1 and onward.
Remediation
Customers using Terraform Enterprise’s SSO feature should evaluate the risk associated with this issue and consider upgrading to Terraform Enterprise v202409-1 or newer. Please refer to Upgrade Terraform Enterprise for general guidance and Terraform Enterprise Releases for version-specific upgrade notes.
Customers who use Terraform Enterprise’s SSO but are unable to upgrade to v202409-1 or higher in the near future should consider enabling Terraform Enterprise’s integrated two-factor authentication functionality. If enabled prior to attack, this may reduce the impact of a SAML authentication bypass. Organization owners can require team members to enable two factor in their organization’s Settings page.