CVE-2021-3040 - Vulnerability Details - OpenCVE

An unsafe deserialization vulnerability in Bridgecrew Checkov by Prisma Cloud allows arbitrary code execution when processing a malicious terraform file. This issue impacts Checkov 2.0 versions earlier than Checkov 2.0.139. Checkov 1.0 versions are not impacted.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact Low

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.03376.

Key SSVC decision points have not yet been added.

Vendors	Products
Paloaltonetworks	Bridgecrew Checkov

Configuration 1 [-]

cpe:2.3:a:paloaltonetworks:bridgecrew_checkov:*:*:*:*:*:*:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2021-26392	An unsafe deserialization vulnerability in Bridgecrew Checkov by Prisma Cloud allows arbitrary code execution when processing a malicious terraform file. This issue impacts Checkov 2.0 versions earlier than Checkov 2.0.139. Checkov 1.0 versions are not impacted.

Fixes

Solution

This issue is fixed in Checkov 2.0.139 and all later versions.

Workaround

Do not run Checkov on terraform files from untrusted sources or pull requests.

References

Link	Providers
https://security.paloaltonetworks.com/CVE-2021-3040

History

No history.

MITRE

Status: PUBLISHED

Assigner: palo_alto

Published: 2021-06-10T12:33:06.414583Z

Updated: 2024-09-16T18:23:39.787Z

Reserved: 2021-01-06T00:00:00

Link: CVE-2021-3040

Vulnrichment

No data.

NVD

Status : Modified

Published: 2021-06-10T13:15:08.343

Modified: 2024-11-21T06:20:49.213

Link: CVE-2021-3040

Redhat

No data.

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"product": "Bridgecrew Checkov", "vendor": "Palo Alto Networks", "versions": [{"status": "unaffected", "version": "1.0 all"}, {"changes": [{"at": "2.0.139", "status": "unaffected"}], "lessThan": "2.0.139", "status": "affected", "version": "2.0", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Palo Alto Networks thanks Bryan Eastes for discovering and reporting this issue."}], "datePublic": "2021-06-09T00:00:00", "descriptions": [{"lang": "en", "value": "An unsafe deserialization vulnerability in Bridgecrew Checkov by Prisma Cloud allows arbitrary code execution when processing a malicious terraform file. This issue impacts Checkov 2.0 versions earlier than Checkov 2.0.139. Checkov 1.0 versions are not impacted."}], "exploits": [{"lang": "en", "value": "Palo Alto Networks is not aware of any malicious exploitation of this issue."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-06-10T12:33:06", "orgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0", "shortName": "palo_alto"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://security.paloaltonetworks.com/CVE-2021-3040"}], "solutions": [{"lang": "en", "value": "This issue is fixed in Checkov 2.0.139 and all later versions."}], "source": {"discovery": "EXTERNAL"}, "timeline": [{"lang": "en", "time": "2021-06-09T00:00:00", "value": "Initial publication"}], "title": "Bridgecrew Checkov: Unsafe deserialization of Terraform files allows code execution", "workarounds": [{"lang": "en", "value": "Do not run Checkov on terraform files from untrusted sources or pull requests."}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@paloaltonetworks.com", "DATE_PUBLIC": "2021-06-09T16:00:00.000Z", "ID": "CVE-2021-3040", "STATE": "PUBLIC", "TITLE": "Bridgecrew Checkov: Unsafe deserialization of Terraform files allows code execution"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Bridgecrew Checkov", "version": {"version_data": [{"version_affected": "<", "version_name": "2.0", "version_value": "2.0.139"}, {"version_affected": "!>=", "version_name": "2.0", "version_value": "2.0.139"}, {"version_affected": "!", "version_name": "1.0", "version_value": "all"}]}}]}, "vendor_name": "Palo Alto Networks"}]}}, "credit": [{"lang": "eng", "value": "Palo Alto Networks thanks Bryan Eastes for discovering and reporting this issue."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An unsafe deserialization vulnerability in Bridgecrew Checkov by Prisma Cloud allows arbitrary code execution when processing a malicious terraform file. This issue impacts Checkov 2.0 versions earlier than Checkov 2.0.139. Checkov 1.0 versions are not impacted."}]}, "exploit": [{"lang": "en", "value": "Palo Alto Networks is not aware of any malicious exploitation of this issue."}], "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-502 Deserialization of Untrusted Data"}]}]}, "references": {"reference_data": [{"name": "https://security.paloaltonetworks.com/CVE-2021-3040", "refsource": "MISC", "url": "https://security.paloaltonetworks.com/CVE-2021-3040"}]}, "solution": [{"lang": "en", "value": "This issue is fixed in Checkov 2.0.139 and all later versions."}], "source": {"discovery": "EXTERNAL"}, "timeline": [{"lang": "en", "time": "2021-06-09T00:00:00", "value": "Initial publication"}], "work_around": [{"lang": "en", "value": "Do not run Checkov on terraform files from untrusted sources or pull requests."}], "x_affectedList": ["Bridgecrew Checkov 2.0"]}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T16:45:50.966Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://security.paloaltonetworks.com/CVE-2021-3040"}]}]}, "cveMetadata": {"assignerOrgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0", "assignerShortName": "palo_alto", "cveId": "CVE-2021-3040", "datePublished": "2021-06-10T12:33:06.414583Z", "dateReserved": "2021-01-06T00:00:00", "dateUpdated": "2024-09-16T18:23:39.787Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:paloaltonetworks:bridgecrew_checkov:*:*:*:*:*:*:*:*", "matchCriteriaId": "67DCC94F-DEE9-4508-94A5-0FEF7D857A45", "versionEndExcluding": "2.0.139", "versionStartIncluding": "2.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An unsafe deserialization vulnerability in Bridgecrew Checkov by Prisma Cloud allows arbitrary code execution when processing a malicious terraform file. This issue impacts Checkov 2.0 versions earlier than Checkov 2.0.139. Checkov 1.0 versions are not impacted."}, {"lang": "es", "value": "Una vulnerabilidad de deserializaci\u00f3n insegura en Bridgecrew Checkov de Prisma Cloud permite la ejecuci\u00f3n de c\u00f3digo arbitrario al procesar un archivo terraform malicioso. Este problema afecta a las versiones de Checkov 2.0 anteriores a Checkov 2.0.139. Las versiones de Checkov 1.0 no se ven afectadas"}], "id": "CVE-2021-3040", "lastModified": "2024-11-21T06:20:49.213", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.5, "source": "psirt@paloaltonetworks.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-06-10T13:15:08.343", "references": [{"source": "psirt@paloaltonetworks.com", "tags": ["Vendor Advisory"], "url": "https://security.paloaltonetworks.com/CVE-2021-3040"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://security.paloaltonetworks.com/CVE-2021-3040"}], "sourceIdentifier": "psirt@paloaltonetworks.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "psirt@paloaltonetworks.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-502"}], "source": "nvd@nist.gov", "type": "Primary"}]}