CVE-2021-3035 Bridgecrew Checkov: Unsafe deserialization of Terraform files allows code execution

Palo Alto Networks Security Advisories / CVE-2021-3035

CVE-2021-3035 Bridgecrew Checkov: Unsafe deserialization of Terraform files allows code execution

Severity 6.7 · MEDIUM

Attack Vector NETWORK

Scope UNCHANGED

Attack Complexity LOW

Confidentiality Impact HIGH

Privileges Required HIGH

Integrity Impact HIGH

User Interaction NONE

Availability Impact LOW

NVD JSON

Published 2021-04-14

Updated 2021-04-14

Reference

Discovered externally

Description

An unsafe deserialization vulnerability in Bridgecrew Checkov by Prisma Cloud allows arbitrary code execution when processing a malicious terraform file.

This issue impacts Checkov 2.0 versions earlier than Checkov 2.0.26. Checkov 1.0 versions are not impacted.

Product Status

Versions	Affected	Unaffected
Bridgecrew Checkov 2.0	< 2.0.26	>= 2.0.26
Bridgecrew Checkov 1.0	None	All

Severity: MEDIUM

CVSSv3.1 Base Score: 6.7 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L)

Exploitation Status

Palo Alto Networks is not aware of any malicious exploitation of this issue.

Weakness Type

CWE-502 Deserialization of Untrusted Data

Solution

This issue is fixed in Checkov 2.0.26 and all later releases.

Workarounds and Mitigations

Do not run Checkov on terraform files from untrusted sources or pull requests.

Acknowledgments

Palo Alto Networks thanks Kevin Higgs of Trail of Bits for discovering and reporting this issue.

Timeline

2021-04-14 Initial publication