Bulletin ID: HCSEC-2020-15
Affected Products / Versions: Terraform Enterprise up to v202006-1; fixed in v202007-1.
Publication Date: 2 July, 2020
HashiCorp Terraform Enterprise up to v202006-1 contained a default signup page that allowed user registration even when disabled, bypassing SAML enforcement. This vulnerability, CVE-2020-15511, was fixed in v202007-1.
Terraform Enterprise allowed single sign-on to be enabled via SAML (documentation).
It was observed that a default signup page was included within the Terraform Enteprise application that allowed user registration even when disabled, bypassing SAML enforcement.
Upgrade to Terraform Enterprise v202007-1.
This issue was identified by Nick Frichette of State Farm Information Security, who reported it privately to HashiCorp.
We deeply appreciate any effort to discover and disclose security vulnerabilities responsibly. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.