CVE-2021-3040 Bridgecrew Checkov: Unsafe deserialization of Terraform files allows code execution
An unsafe deserialization vulnerability in Bridgecrew Checkov by Prisma Cloud allows arbitrary code execution when processing a malicious terraform file.
This issue impacts Checkov 2.0 versions earlier than Checkov 2.0.139.
Checkov 1.0 versions are not impacted.
|Bridgecrew Checkov 2.0||< 2.0.139||>= 2.0.139|
|Bridgecrew Checkov 1.0||None||all|
CVSSv3.1 Base Score: 6.7 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L)
Palo Alto Networks is not aware of any malicious exploitation of this issue.
This issue is fixed in Checkov 2.0.139 and all later versions.
Workarounds and Mitigations
Do not run Checkov on terraform files from untrusted sources or pull requests.