Vulnerability Name:

CVE-2019-19316 (CCN-172504)

Assigned:2019-11-26
Published:2019-11-26
Updated:2021-07-21
Summary:When using the Azure backend with a shared access signature (SAS), Terraform versions prior to 0.12.17 may transmit the token and state snapshot using cleartext HTTP.
CVSS v3 Severity:7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): None
Availibility (A): None
5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
4.6 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): None
Availibility (A): None
CVSS v2 Severity:4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
Vulnerability Type:CWE-327
Vulnerability Consequences:Obtain Information
References:Source: MITRE
Type: CNA
CVE-2019-19316

Source: XF
Type: UNKNOWN
terraform-cve201919316-info-disc(172504)

Source: CCN
Type: Terraform GIT Repository
Cleartext transmission of Terraform state snapshots when using Azure backend with certain SAS tokens

Source: CONFIRM
Type: Third Party Advisory
https://github.com/hashicorp/terraform/security/advisories/GHSA-4rvg-555h-r626

Vulnerable Configuration:Configuration 1:
  • cpe:/a:hashicorp:terraform:*:*:*:*:*:*:*:* (Version < 0.12.17)

    • Configuration CCN 1:
  • cpe:/a:hashicorp:terraform:0.12.16:*:*:*:*:aws:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:51576
    P
    		Security update for libtpms (Moderate)
    2022-12-13
    oval:org.opensuse.security:def:201919316
    V
    		CVE-2019-19316
    2022-09-02
    oval:org.opensuse.security:def:3796
    P
    		Security update for ntfs-3g_ntfsprogs (Important) (in QA)
    2022-08-03
    oval:org.opensuse.security:def:4648
    P
    		Security update for the Linux Kernel (Live Patch 32 for SLE 12 SP5) (Important)
    2022-07-19
    oval:org.opensuse.security:def:3790
    P
    		squashfs-4.3-6.2 on GA media (Moderate)
    2022-06-28
    oval:org.opensuse.security:def:3459
    P
    		cracklib-2.9.0-7.1 on GA media (Moderate)
    2022-06-28
    oval:org.opensuse.security:def:3807
    P
    		tpm2.0-tools-3.1.4-1.12 on GA media (Moderate)
    2022-06-28
    oval:org.opensuse.security:def:95089
    P
    		terraform-0.13.4-6.3.1 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:4664
    P
    		Security update for the Linux Kernel (Live Patch 22 for SLE 12 SP5) (Important)
    2022-02-01
    oval:org.opensuse.security:def:113491
    P
    		terraform-0.14.10-1.12 on GA media (Moderate)
    2022-01-17
    oval:org.opensuse.security:def:51680
    P
    		Security update for the Linux Kernel (Live Patch 38 for SLE 12 SP3) (Important)
    2021-10-18
    oval:org.opensuse.security:def:94188
    P
    		 (Moderate)
    2021-10-06
    oval:org.opensuse.security:def:106887
    P
    		terraform-0.14.10-1.12 on GA media (Moderate)
    2021-10-01
    oval:org.opensuse.security:def:69274
    P
    		Security update for php7-pear (Important)
    2021-09-13
    oval:org.opensuse.security:def:51646
    P
    		Security update for the Linux Kernel (Live Patch 39 for SLE 12 SP3) (Important)
    2021-08-25
    oval:org.opensuse.security:def:63132
    P
    		terraform-0.13.4-6.3.1 on GA media (Moderate)
    2021-08-10
    oval:org.opensuse.security:def:2043
    P
    		terraform-0.13.4-6.3.1 on GA media (Moderate)
    2021-08-10
    oval:org.opensuse.security:def:100901
    P
    		libcacard0-2.5.3-1.27 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:72730
    P
    		gradle-4.4.1-1.87 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:1471
    P
    		Security update for python-rsa (Important)
    2021-06-17
    oval:org.opensuse.security:def:70213
    P
    		Security update for webkit2gtk3 (Important)
    2021-05-04
    oval:org.opensuse.security:def:66765
    P
    		Security update for p7zip (Moderate)
    2021-05-04
    oval:org.opensuse.security:def:51755
    P
    		Security update for the Linux Kernel (Live Patch 33 for SLE 12 SP3) (Important)
    2021-03-17
    oval:org.opensuse.security:def:66857
    P
    		Security update for ceph (Moderate)
    2021-01-05
    oval:org.opensuse.security:def:63120
    P
    		terraform-0.12.19-3.6.1 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:3904
    P
    		glib2-devel-2.48.2-12.15.1 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:3977
    P
    		libfbembed-devel-2.5.2.26539-15.1 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:107567
    P
    		terraform-0.12.19-3.6.1 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:117125
    P
    		terraform-0.12.19-3.6.1 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:4003
    P
    		liblcms2-devel-2.7-9.7.1 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:3845
    P
    		NetworkManager-1.0.12-13.12.1 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:4010
    P
    		libmspack-devel-0.4-14.4 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:2031
    P
    		terraform-0.12.19-3.6.1 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:3888
    P
    		fontconfig-devel-2.11.1-7.1 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:3960
    P
    		libblkid-devel-2.33.2-2.13 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:3998
    P
    		libjpeg62-devel-62.2.0-31.14.2 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:4006
    P
    		libmicrohttpd-devel-0.9.30-5.1 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:3876
    P
    		dia-0.97.3-15.63 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:72614
    P
    		ctags-5.8-1.27 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:50460
    P
    		Security update for the Linux Kernel (Important)
    2020-12-01
    oval:org.opensuse.security:def:73548
    P
    		terraform on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:49858
    P
    		perl-Net-Libproxy on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:50854
    P
    		Security update for ucode-intel (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:66030
    P
    		Security update for terraform (Important)
    2020-12-01
    oval:org.opensuse.security:def:73430
    P
    		libjpeg8-32bit on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:51122
    P
    		Security update for gnutls (Important)
    2020-12-01
    oval:org.opensuse.security:def:53031
    P
    		Security update for libsolv, libzypp, zypper (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:51493
    P
    		Security update for rust, rust-cbindgen (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:50328
    P
    		Security update for tiff (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:70108
    P
    		libout123-0 on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:50691
    P
    		Security update for python-ecdsa (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:49912
    P
    		terraform on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:50307
    P
    		Security update for gd (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:65940
    P
    		Security update for the Linux Kernel (Live Patch 12 for SLE 15 SP1) (Important)
    2020-12-01
    oval:org.opensuse.security:def:50958
    P
    		Security update for postgresql10 (Important)
    2020-12-01
    oval:org.opensuse.security:def:69377
    P
    		Security update for terraform (Important)
    2020-12-01
    oval:org.opensuse.security:def:51392
    P
    		Security update for ncurses (Important)
    2020-12-01
    oval:org.opensuse.security:def:53095
    P
    		Security update for terraform (Important)
    2020-12-01
    oval:org.opensuse.security:def:50308
    P
    		Security update for wireshark (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:98580
    P
    		Security update for terraform (Important)
    2020-02-04
    oval:org.opensuse.security:def:91615
    P
    		Security update for terraform (Important)
    2020-02-04
    oval:org.opensuse.security:def:105270
    P
    		Security update for terraform (Important)
    2020-02-04
    BACK
    hashicorp terraform *
    hashicorp terraform 0.12.16