CVE-2021-3040 Bridgecrew Checkov: Unsafe deserialization of Terraform files allows code execution
Attack Vector
NETWORK
Scope
UNCHANGED
Attack Complexity
LOW
Confidentiality Impact
HIGH
Privileges Required
HIGH
Integrity Impact
HIGH
User Interaction
NONE
Availability Impact
LOW
Description
An unsafe deserialization vulnerability in Bridgecrew Checkov by Prisma Cloud allows arbitrary code execution when processing a malicious terraform file.
This issue impacts Checkov 2.0 versions earlier than Checkov 2.0.139.
Checkov 1.0 versions are not impacted.
Product Status
Versions | Affected | Unaffected |
---|---|---|
Bridgecrew Checkov 2.0 | < 2.0.139 | >= 2.0.139 |
Bridgecrew Checkov 1.0 | None | All |
Severity: MEDIUM
CVSSv3.1 Base Score: 6.7 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L)
Exploitation Status
Palo Alto Networks is not aware of any malicious exploitation of this issue.
Weakness Type
CWE-502 Deserialization of Untrusted Data
Solution
This issue is fixed in Checkov 2.0.139 and all later versions.
Workarounds and Mitigations
Do not run Checkov on terraform files from untrusted sources or pull requests.
Acknowledgments
Palo Alto Networks thanks Bryan Eastes for discovering and reporting this issue.
Timeline
Initial publication