Hello,
We would like to enquire on the following vulnerabilities that have been flagged in the latest terraform version 1.5.7 and 1.7.5. We are already on the latest version for both terraform but these CVE’s are still flagged after our scans and would like to know if there are any plans to fix it in the future. Below are the list of vulnerabilities for both the versions:
Terraform 1.5
- CVE-2023-39318
- CVE-2023-39319
- CVE-2023-39325
- CVE-2023-39326
- CVE-2023-3978
- CVE-2023-44487
- CVE-2023-45283
- CVE-2023-45284
- CVE-2023-45288
- CVE-2023-45289
- CVE-2023-45290
- CVE-2024-24783
- CVE-2024-24784
- CVE-2024-24786
- CVE-2024-3817
- GHSA-m425-mq94-257g
Terraform 1.7
- CVE-2023-45288
- CVE-2024-24786
- CVE-2024-3817
- GHSA-9763-4f94-gfch
Hi @irfanasyraf,
Nether Terraform v1.5 or v1.7 are being actively developed, and are not likely to get any further updates. I did not search and review the majority of the advisories on this list, but in most cases they are not relevant to Terraform, and only reported due to dependency scanners which cannot understand the context in which the vulnerability might be relevant. For example Terraform doesn’t start a public http2 server, so vulnerabilities about a http2 denial of service don’t affect Terraform.
Looking at the more recent CVEs listed here, it appears that CVE-2024-3817
is still under investigation so it may warrant a fix be backported to a v1.8 release. If the risk is severe enough I could imagine that earlier minor releases also be targeted, but we will have to see what results from the investigation.
Hi @jbardin ,
Thank you for the prompt reply. Understand on the context for most of the vulnerabilities that might not be relevant in this case, especially for v1.5.
On the other hand, can we get some justification for the vulnerabilities for the CVEs in 1.7.5? It would be best if we can get a justification where it will either not be patched in future versions or there are plans for it similar to CVE-2024-3817. Below are the CVEs for your reference in v1.7.5:
- CVE-2023-45288
- CVE-2024-24786
- CVE-2024-3817
- GHSA-9763-4f94-gfch
Thank You!
Hi @jbardin ,
Can I get a justification for CVE-2024-24786 & GHSA-9763-4f94-gfch as mentioned in our previous thread?
Any help will be much appreciated.
Thank You!
Hi @irfanasyraf, I don’t understand exactly what you are looking for as “justification”, but neither of those appear to apply to Terraform. If you have specific concerns about a vulnerability in a Hashicorp product, you can contact the security team: Security at HashiCorp