HCSEC-2023-18 - Terraform Enterprise Agent Pool Controls Allowed Unauthorized Workspaces to Target an Agent Pool

Bulletin ID: HCSEC-2023-18
Affected Products / Versions: Terraform Enterprise since v202207-1, fixed in v202306-1

Publication Date: June 22, 2023

Terraform Enterprise since version v202207-1 did not properly implement authorization rules for agent pools, allowing the workspace to be targeted by unauthorized agents within the organization. This authorization flaw could potentially allow a workspace to access resources from a separate, higher-privileged workspace in the same organization that targeted an agent pool. This vulnerability, CVE-2023-3114, is fixed in Terraform Enterprise v202306-1.

Workspaces in Terraform Enterprise may be configured to run via Cloud Agents, which allows Terraform Enterprise to communicate with isolated, private, or on-premises infrastructure. Since TFE v202207-1, administrators of a Terraform Enterprise organization may configure the agent pool to be global to the organization (allowing all workspaces to target that agent pool), or may grant access to only a specific set of workspaces.

During internal testing, it was discovered that the authorization controls for allowing specific workspaces to target an agent pool did not work properly, and it was possible for any workspace within the organization to target that agent pool. This flaw has existed since the feature was introduced in TFE version v202207-01.

Customers should evaluate the risk associated with this issue and consider upgrading to Terraform Enterprise v202306-1

This issue was identified by the Terraform engineering team.

We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.