Palo Alto Networks Security Advisories / CVE-2021-3040

CVE-2021-3040 Bridgecrew Checkov: Unsafe deserialization of Terraform files allows code execution


047910
Severity 6.7 · MEDIUM
Attack Vector NETWORK
Scope UNCHANGED
Attack Complexity LOW
Confidentiality Impact HIGH
Privileges Required HIGH
Integrity Impact HIGH
User Interaction NONE
Availability Impact LOW
CVE JSON CSAF
Published 2021-06-09
Updated 2021-06-09
Discovered externally

Description

An unsafe deserialization vulnerability in Bridgecrew Checkov by Prisma Cloud allows arbitrary code execution when processing a malicious terraform file.

This issue impacts Checkov 2.0 versions earlier than Checkov 2.0.139.

Checkov 1.0 versions are not impacted.

Product Status

VersionsAffectedUnaffected
Bridgecrew Checkov 2.0< 2.0.139>= 2.0.139
Bridgecrew Checkov 1.0NoneAll

Severity: MEDIUM

CVSSv3.1 Base Score: 6.7 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L)

Exploitation Status

Palo Alto Networks is not aware of any malicious exploitation of this issue.

Weakness Type

CWE-502 Deserialization of Untrusted Data

Solution

This issue is fixed in Checkov 2.0.139 and all later versions.

Workarounds and Mitigations

Do not run Checkov on terraform files from untrusted sources or pull requests.

Acknowledgments

Palo Alto Networks thanks Bryan Eastes for discovering and reporting this issue.

Timeline

Initial publication
Terms of usePrivacyProduct Security Assurance and Vulnerability Disclosure PolicyReport vulnerabilitiesManage subscriptions
© 2025 Palo Alto Networks, Inc. All rights reserved.