CVE-2025-13432
BaseFortify
Publication date: 2025-11-21
Last updated on: 2025-12-10
Assigner: HashiCorp Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| hashicorp | terraform | From 1.0.0 (inc) to 1.0.3 (exc) |
| hashicorp | terraform | 1.1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability allows a user with specific but insufficient permissions in a Terraform Enterprise workspace to create Terraform state versions. If a subsequent plan operation is approved by a user with approval permission or is auto-applied, this may allow alteration of the infrastructure.
How can this vulnerability impact me? :
The vulnerability can impact you by allowing unauthorized alteration of your infrastructure if a user with limited permissions creates state versions and a user with approval permissions approves or auto-applies the plan. This could lead to unintended changes in your infrastructure setup.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Terraform Enterprise to version 1.1.1 or 1.0.3, where this vulnerability is fixed.