Palo Alto Networks Security Advisories
CVE-2021-3035 Bridgecrew Checkov: Unsafe deserialization of Terraform files allows code execution
Attack Vector NETWORK
Attack Complexity LOW
Privileges Required HIGH
User Interaction NONE
Confidentiality Impact HIGH
Integrity Impact HIGH
Availability Impact LOW
An unsafe deserialization vulnerability in Bridgecrew Checkov by Prisma Cloud allows arbitrary code execution when processing a malicious terraform file.
This issue impacts Checkov 2.0 versions earlier than Checkov 2.0.26. Checkov 1.0 versions are not impacted.
|Bridgecrew Checkov 2.0||< 2.0.26||>= 2.0.26|
|Bridgecrew Checkov 1.0||None||all|
CVSSv3.1 Base Score: 6.7 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L)
Palo Alto Networks is not aware of any malicious exploitation of this issue.
CWE-502 Deserialization of Untrusted Data
This issue is fixed in Checkov 2.0.26 and all later releases.
Workarounds and Mitigations
Do not run Checkov on terraform files from untrusted sources or pull requests.
Palo Alto Networks thanks Kevin Higgs of Trail of Bits for discovering and reporting this issue.
© 2020 Palo Alto Networks, Inc. All rights reserved.