CVE-2019-19316
Information Disclosure vulnerability in terraform (Go)
What is CVE-2019-19316 About?
Terraform versions prior to 0.12.17, when using the Azure backend with a Shared Access Signature (SAS), may transmit the SAS token and state snapshot via cleartext HTTP. This can lead to sensitive information disclosure if intercepted. Exploitation is remote and requires an attacker to eavesdrop on network traffic.
Affected Software
Technical Details
In Terraform versions before 0.12.17, when configured to use the Azure backend with a Shared Access Signature (SAS), the communication mechanism for transmitting the SAS token and the state snapshot was found to utilize cleartext HTTP. This means that instead of securing the sensitive data (the SAS token for authentication/authorization and the infrastructure state snapshot) with HTTPS, it was sent unencrypted over the network. An attacker performing network eavesdropping or sniffing could easily intercept this unencrypted traffic, thereby capturing the SAS token and potentially the entire state snapshot of the infrastructure, leading to unauthorized access and information disclosure.
What is the Impact of CVE-2019-19316?
Successful exploitation may allow attackers to intercept and gain unauthorized access to sensitive information, including authentication tokens and infrastructure state snapshots, potentially leading to unauthorized access or system compromise.
What is the Exploitability of CVE-2019-19316?
Exploitation requires an attacker to be positioned on the network path between the Terraform client and the Azure backend to perform network eavesdropping. The complexity is low, as it primarily involves sniffing unencrypted traffic. No authentication to the Terraform application itself is needed, but the victim user must be performing Terraform operations with the vulnerable configuration. This is a remote attack. Privilege requirements are minimal for the attacker, needing only network access. The risk is high in insecure network environments or if the attacker can compromise an intermediate network device.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2019-19316?
Available Upgrade Options
- github.com/hashicorp/terraform
- <0.12.17 → Upgrade to 0.12.17
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/hashicorp/terraform/security/advisories/GHSA-4rvg-555h-r626
- https://github.com/hashicorp/terraform/security/advisories/GHSA-4rvg-555h-r626
- https://pkg.go.dev/vuln/GO-2022-0839
- https://github.com/hashicorp/terraform/issues/23493
- https://github.com/hashicorp/terraform/issues/23493
- https://github.com/hashicorp/terraform/security/advisories/GHSA-4rvg-555h-r626
- https://nvd.nist.gov/vuln/detail/CVE-2019-19316
- https://github.com/advisories/GHSA-h3p9-wrgx-82cm
- https://github.com/hashicorp/terraform
- https://github.com/hashicorp/terraform/commit/6db3cf8e5b4cfb2a3cd1d99a813b50b2d5d363bb
What are Similar Vulnerabilities to CVE-2019-19316?
Similar Vulnerabilities: CVE-2023-38038 , CVE-2022-24765 , CVE-2021-43282 , CVE-2022-26134 , CVE-2023-28709
