CVE-2021-3035 - Vulnerability Details - OpenCVE

An unsafe deserialization vulnerability in Bridgecrew Checkov by Prisma Cloud allows arbitrary code execution when processing a malicious terraform file. This issue impacts Checkov 2.0 versions earlier than Checkov 2.0.26. Checkov 1.0 versions are not impacted.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact Low

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.03376.

Key SSVC decision points have not yet been added.

Vendors	Products
Paloaltonetworks	Bridgecrew Checkov

Configuration 1 [-]

cpe:2.3:a:paloaltonetworks:bridgecrew_checkov:*:*:*:*:*:*:*:*

No data.

No data.

Fixes

Solution

This issue is fixed in Checkov 2.0.26 and all later releases.

Workaround

Do not run Checkov on terraform files from untrusted sources or pull requests.

References

Link	Providers
https://security.paloaltonetworks.com/CVE-2021-3035

History

No history.

MITRE

Status: PUBLISHED

Assigner: palo_alto

Published: 2021-04-20T03:15:16.551803Z

Updated: 2024-09-17T03:17:34.411Z

Reserved: 2021-01-06T00:00:00

Link: CVE-2021-3035

Vulnrichment

No data.

NVD

Status : Modified

Published: 2021-04-20T04:15:12.340

Modified: 2024-11-21T06:20:48.377

Link: CVE-2021-3035

Redhat

No data.

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"product": "Bridgecrew Checkov", "vendor": "Palo Alto Networks", "versions": [{"status": "unaffected", "version": "1.0 all"}, {"changes": [{"at": "2.0.26", "status": "unaffected"}], "lessThan": "2.0.26", "status": "affected", "version": "2.0", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Palo Alto Networks thanks Kevin Higgs of Trail of Bits for discovering and reporting this issue."}], "datePublic": "2021-04-14T00:00:00", "descriptions": [{"lang": "en", "value": "An unsafe deserialization vulnerability in Bridgecrew Checkov by Prisma Cloud allows arbitrary code execution when processing a malicious terraform file. This issue impacts Checkov 2.0 versions earlier than Checkov 2.0.26. Checkov 1.0 versions are not impacted."}], "exploits": [{"lang": "en", "value": "Palo Alto Networks is not aware of any malicious exploitation of this issue."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-04-20T03:15:16", "orgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0", "shortName": "palo_alto"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://security.paloaltonetworks.com/CVE-2021-3035"}], "solutions": [{"lang": "en", "value": "This issue is fixed in Checkov 2.0.26 and all later releases."}], "source": {"discovery": "EXTERNAL"}, "timeline": [{"lang": "en", "time": "2021-04-14T00:00:00", "value": "Initial publication"}], "title": "Bridgecrew Checkov: Unsafe deserialization of Terraform files allows code execution", "workarounds": [{"lang": "en", "value": "Do not run Checkov on terraform files from untrusted sources or pull requests."}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@paloaltonetworks.com", "DATE_PUBLIC": "2021-04-14T16:00:00.000Z", "ID": "CVE-2021-3035", "STATE": "PUBLIC", "TITLE": "Bridgecrew Checkov: Unsafe deserialization of Terraform files allows code execution"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Bridgecrew Checkov", "version": {"version_data": [{"version_affected": "<", "version_name": "2.0", "version_value": "2.0.26"}, {"version_affected": "!>=", "version_name": "2.0", "version_value": "2.0.26"}, {"version_affected": "!", "version_name": "1.0", "version_value": "all"}]}}]}, "vendor_name": "Palo Alto Networks"}]}}, "credit": [{"lang": "eng", "value": "Palo Alto Networks thanks Kevin Higgs of Trail of Bits for discovering and reporting this issue."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An unsafe deserialization vulnerability in Bridgecrew Checkov by Prisma Cloud allows arbitrary code execution when processing a malicious terraform file. This issue impacts Checkov 2.0 versions earlier than Checkov 2.0.26. Checkov 1.0 versions are not impacted."}]}, "exploit": [{"lang": "en", "value": "Palo Alto Networks is not aware of any malicious exploitation of this issue."}], "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-502 Deserialization of Untrusted Data"}]}]}, "references": {"reference_data": [{"name": "https://security.paloaltonetworks.com/CVE-2021-3035", "refsource": "MISC", "url": "https://security.paloaltonetworks.com/CVE-2021-3035"}]}, "solution": [{"lang": "en", "value": "This issue is fixed in Checkov 2.0.26 and all later releases."}], "source": {"discovery": "EXTERNAL"}, "timeline": [{"lang": "en", "time": "2021-04-14T00:00:00", "value": "Initial publication"}], "work_around": [{"lang": "en", "value": "Do not run Checkov on terraform files from untrusted sources or pull requests."}], "x_affectedList": ["BridgeCrew Checkov 2.0"]}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T16:45:50.739Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://security.paloaltonetworks.com/CVE-2021-3035"}]}]}, "cveMetadata": {"assignerOrgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0", "assignerShortName": "palo_alto", "cveId": "CVE-2021-3035", "datePublished": "2021-04-20T03:15:16.551803Z", "dateReserved": "2021-01-06T00:00:00", "dateUpdated": "2024-09-17T03:17:34.411Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:paloaltonetworks:bridgecrew_checkov:*:*:*:*:*:*:*:*", "matchCriteriaId": "57047748-932C-4C5A-BAA7-36AA369957E4", "versionEndExcluding": "2.0.26", "versionStartIncluding": "2.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An unsafe deserialization vulnerability in Bridgecrew Checkov by Prisma Cloud allows arbitrary code execution when processing a malicious terraform file. This issue impacts Checkov 2.0 versions earlier than Checkov 2.0.26. Checkov 1.0 versions are not impacted."}, {"lang": "es", "value": "Una vulnerabilidad de deserializaci\u00f3n no segura en Bridgecrew Checkov de Prisma Cloud, permite una ejecuci\u00f3n de c\u00f3digo arbitrario cuando se procesa un archivo terraform malicioso. Este problema impacta a Checkov versiones 2.0 anteriores a Checkov versi\u00f3n 2.0.26. Checkov versiones 1.0 no est\u00e1n afectadas"}], "id": "CVE-2021-3035", "lastModified": "2024-11-21T06:20:48.377", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.5, "source": "psirt@paloaltonetworks.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-04-20T04:15:12.340", "references": [{"source": "psirt@paloaltonetworks.com", "tags": ["Vendor Advisory"], "url": "https://security.paloaltonetworks.com/CVE-2021-3035"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://security.paloaltonetworks.com/CVE-2021-3035"}], "sourceIdentifier": "psirt@paloaltonetworks.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "psirt@paloaltonetworks.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-502"}], "source": "nvd@nist.gov", "type": "Primary"}]}