CVE-2022-25374 - OpenCVE

HashiCorp Terraform Enterprise v202112-1, v202112-2, v202201-1, and v202201-2 were configured to log inbound HTTP requests in a manner that may capture sensitive data. Fixed in v202202-1.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Hashicorp	Terraform Enterprise

Configuration 1 [-]

cpe:2.3:a:hashicorp:terraform_enterprise:*:*:*:*:*:*:*:*

References

Link	Resource
https://discuss.hashicorp.com	Product
https://discuss.hashicorp.com/t/hcsec-2022-06-terraform-enterprise-may-capture-sensitive-data-in-logs/	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2022-02-25T12:25:04

Updated: 2022-08-10T23:20:33

Reserved: 2022-02-20T00:00:00

Link: CVE-2022-25374

JSON object: View

NVD Information

Status : Modified

Published: 2022-02-25T13:15:08.187

Modified: 2022-08-11T00:25:29.163

Link: CVE-2022-25374

JSON object: View

Redhat Information

No data.

CWE

CWE-532

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:hashicorp:terraform_enterprise:*:*:*:*:*:*:*:*", "matchCriteriaId": "22E0D2D3-464C-4B01-91C8-90293CBEAEDF", "versionEndExcluding": "202202-1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "HashiCorp Terraform Enterprise v202112-1, v202112-2, v202201-1, and v202201-2 were configured to log inbound HTTP requests in a manner that may capture sensitive data. Fixed in v202202-1."}, {"lang": "es", "value": "HashiCorp Terraform Enterprise v202112-1, v202112-2, v202201-1 y v202201-2 estaban configurados para registrar las peticiones HTTP entrantes de forma que pod\u00edan capturar datos sensibles. Corregido en v202202-1"}], "id": "CVE-2022-25374", "lastModified": "2022-08-11T00:25:29.163", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-02-25T13:15:08.187", "references": [{"source": "cve@mitre.org", "tags": ["Product"], "url": "https://discuss.hashicorp.com"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://discuss.hashicorp.com/t/hcsec-2022-06-terraform-enterprise-may-capture-sensitive-data-in-logs/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-532"}], "source": "nvd@nist.gov", "type": "Primary"}]}