Hashicorp Terraform
5 CVEs affecting Hashicorp Terraform. Latest disclosed: 2025-11-21. Critical: 1, High: 2.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2018-9057 | Critical | 9.8 | 2018-03-27 | aws/resource_aws_iam_user_login_profile.go in the HashiCorp Terraform Amazon Web Services (AWS) provider through v1.12.0 has an inappropriate PRNG algorithm an… |
CVE-2021-36230 | High | 8.8 | 2021-07-20 | HashiCorp Terraform Enterprise releases up to v202106-1 did not properly perform authorization checks on a subset of API requests executed using the run token… |
CVE-2019-19316 | High | 7.5 | 2019-12-02 | When using the Azure backend with a shared access signature (SAS), Terraform versions prior to 0.12.17 may transmit the token and state snapshot using cleartex… |
CVE-2023-4782 | Medium | 6.3 | 2023-09-08 | Terraform version 1.0.8 through 1.5.6 allows arbitrary file write during the `init` operation if run on maliciously crafted Terraform configuration. This vulne… |
CVE-2025-13432 | Medium | 4.3 | 2025-11-21 | Terraform state versions can be created by a user with specific but insufficient permissions in a Terraform Enterprise workspace. This may allow for the altera… |