Terraform Enterprise
by Hashicorp
Source repositories
CVEs (7)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-13432 | 0.00 | — | 0.00 | Nov 21, 2025 | Terraform state versions can be created by a user with specific but insufficient permissions in a Terraform Enterprise workspace. This may allow for the alteration of infrastructure if a subsequent plan operation is approved by a user with approval permission or auto-applied.… | |||
| CVE-2023-3114 | 0.00 | — | 0.00 | Jun 22, 2023 | Terraform Enterprise since v202207-1 did not properly implement authorization rules for agent pools, allowing the workspace to be targeted by unauthorized agents. This authorization flaw could potentially allow a workspace to access resources from a separate, higher-privileged… | |||
| CVE-2022-25374 | 0.00 | — | 0.01 | Feb 25, 2022 | HashiCorp Terraform Enterprise v202112-1, v202112-2, v202201-1, and v202201-2 were configured to log inbound HTTP requests in a manner that may capture sensitive data. Fixed in v202202-1. | |||
| CVE-2021-40862 | 0.00 | — | 0.01 | Sep 15, 2021 | HashiCorp Terraform Enterprise up to v202108-1 contained an API endpoint that erroneously disclosed a sensitive URL to authenticated parties, which could be used for privilege escalation or unauthorized modification of a Terraform configuration. Fixed in v202109-1. | |||
| CVE-2021-36230 | 0.00 | — | 0.01 | Jul 20, 2021 | HashiCorp Terraform Enterprise releases up to v202106-1 did not properly perform authorization checks on a subset of API requests executed using the run token, allowing privilege escalation to organization owner. Fixed in v202107-1. | |||
| CVE-2021-3153 | 0.00 | — | 0.01 | Mar 26, 2021 | HashiCorp Terraform Enterprise up to v202102-2 failed to enforce an organization-level setting that required users within an organization to have two-factor authentication enabled. Fixed in v202103-1. | |||
| CVE-2020-15511 | 0.00 | — | 0.01 | Jul 30, 2020 | HashiCorp Terraform Enterprise up to v202006-1 contained a default signup page that allowed user registration even when disabled, bypassing SAML enforcement. Fixed in v202007-1. |
- CVE-2025-13432Nov 21, 2025risk 0.00cvss —epss 0.00
Terraform state versions can be created by a user with specific but insufficient permissions in a Terraform Enterprise workspace. This may allow for the alteration of infrastructure if a subsequent plan operation is approved by a user with approval permission or auto-applied.…
- CVE-2023-3114Jun 22, 2023risk 0.00cvss —epss 0.00
Terraform Enterprise since v202207-1 did not properly implement authorization rules for agent pools, allowing the workspace to be targeted by unauthorized agents. This authorization flaw could potentially allow a workspace to access resources from a separate, higher-privileged…
- CVE-2022-25374Feb 25, 2022risk 0.00cvss —epss 0.01
HashiCorp Terraform Enterprise v202112-1, v202112-2, v202201-1, and v202201-2 were configured to log inbound HTTP requests in a manner that may capture sensitive data. Fixed in v202202-1.
- CVE-2021-40862Sep 15, 2021risk 0.00cvss —epss 0.01
HashiCorp Terraform Enterprise up to v202108-1 contained an API endpoint that erroneously disclosed a sensitive URL to authenticated parties, which could be used for privilege escalation or unauthorized modification of a Terraform configuration. Fixed in v202109-1.
- CVE-2021-36230Jul 20, 2021risk 0.00cvss —epss 0.01
HashiCorp Terraform Enterprise releases up to v202106-1 did not properly perform authorization checks on a subset of API requests executed using the run token, allowing privilege escalation to organization owner. Fixed in v202107-1.
- CVE-2021-3153Mar 26, 2021risk 0.00cvss —epss 0.01
HashiCorp Terraform Enterprise up to v202102-2 failed to enforce an organization-level setting that required users within an organization to have two-factor authentication enabled. Fixed in v202103-1.
- CVE-2020-15511Jul 30, 2020risk 0.00cvss —epss 0.01
HashiCorp Terraform Enterprise up to v202006-1 contained a default signup page that allowed user registration even when disabled, bypassing SAML enforcement. Fixed in v202007-1.