Terraform vulnerability for version 1.5.7 & 1.7.5

Hello,

We would like to enquire on the following vulnerabilities that have been flagged in the latest terraform version 1.5.7 and 1.7.5. We are already on the latest version for both terraform but these CVE’s are still flagged after our scans and would like to know if there are any plans to fix it in the future. Below are the list of vulnerabilities for both the versions:

Terraform 1.5

  • CVE-2023-39318
  • CVE-2023-39319
  • CVE-2023-39325
  • CVE-2023-39326
  • CVE-2023-3978
  • CVE-2023-44487
  • CVE-2023-45283
  • CVE-2023-45284
  • CVE-2023-45288
  • CVE-2023-45289
  • CVE-2023-45290
  • CVE-2024-24783
  • CVE-2024-24784
  • CVE-2024-24786
  • CVE-2024-3817
  • GHSA-m425-mq94-257g

Terraform 1.7

  • CVE-2023-45288
  • CVE-2024-24786
  • CVE-2024-3817
  • GHSA-9763-4f94-gfch

Hi @irfanasyraf,

Nether Terraform v1.5 or v1.7 are being actively developed, and are not likely to get any further updates. I did not search and review the majority of the advisories on this list, but in most cases they are not relevant to Terraform, and only reported due to dependency scanners which cannot understand the context in which the vulnerability might be relevant. For example Terraform doesn’t start a public http2 server, so vulnerabilities about a http2 denial of service don’t affect Terraform.

Looking at the more recent CVEs listed here, it appears that CVE-2024-3817 is still under investigation so it may warrant a fix be backported to a v1.8 release. If the risk is severe enough I could imagine that earlier minor releases also be targeted, but we will have to see what results from the investigation.

Hi @jbardin ,

Thank you for the prompt reply. Understand on the context for most of the vulnerabilities that might not be relevant in this case, especially for v1.5.

On the other hand, can we get some justification for the vulnerabilities for the CVEs in 1.7.5? It would be best if we can get a justification where it will either not be patched in future versions or there are plans for it similar to CVE-2024-3817. Below are the CVEs for your reference in v1.7.5:

  • CVE-2023-45288
  • CVE-2024-24786
  • CVE-2024-3817
  • GHSA-9763-4f94-gfch

Thank You!