HCSEC-2021-25 - Terraform Enterprise Configuration Versions API Discloses Sensitive URL

Bulletin ID: HCSEC-2021-XX
Affected Products / Versions: Terraform Enterprise up to v202108-1; fixed in v202109-1.
Publication Date: September 14, 2021

Summary
Terraform Enterprise versions up to v202108-1 included a sensitive URL in specific responses to the Configuration Versions API, allowing potential privilege escalation or configuration manipulation. This vulnerability, CVE-2021-40862, was fixed in Terraform Enterprise v202109-1.

Background
Terraform Enterprise utilizes an internal service for the storage of configuration version information. Access to this service is via URLs containing a securely generated secret (as documented) that are generated automatically when configuration versions are created.

Details
During internal security testing, it was found that an endpoint associated with the Configuration Versions API (used as part of the API-driven run workflow) erroneously exposed the sensitive URL associated with a Configuration Version.

A malicious user with read-only access to a workspace could leverage this weakness to perform privilege escalation or unauthorized modification of the Terraform configuration associated with a Terraform Enterprise workspace.

Note that the URLs in question expire after 25 hours.

Remediation
The sensitive URL is now only returned by the Configuration Versions API the first time it is generated, as required for Terraform Enterprise operation. The sensitive URL will not be returned on subsequent API interactions.

Customers should update to Terraform Enterprise v202109-1.

Acknowledgement
This issue was identified by the HashiCorp security team.

We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see Security at HashiCorp.