Bulletin ID: HCSEC-2020-15
Affected Products / Versions: Terraform Enterprise up to v202006-1; fixed in v202007-1.
Publication Date: 2 July, 2020
Summary
HashiCorp Terraform Enterprise up to v202006-1 contained a default signup page that allowed user registration even when disabled, bypassing SAML enforcement. This vulnerability, CVE-2020-15511, was fixed in v202007-1.
Background
Terraform Enterprise allowed single sign-on to be enabled via SAML (documentation).
Details
It was observed that a default signup page was included within the Terraform Enteprise application that allowed user registration even when disabled, bypassing SAML enforcement.
Remediation
Upgrade to Terraform Enterprise v202007-1.
Acknowledgement
This issue was identified by Nick Frichette of State Farm Information Security, who reported it privately to HashiCorp.
We deeply appreciate any effort to discover and disclose security vulnerabilities responsibly. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.