CVE-2021-3040 - Vulnerability Details - OpenCVE

Description

An unsafe deserialization vulnerability in Bridgecrew Checkov by Prisma Cloud allows arbitrary code execution when processing a malicious terraform file. This issue impacts Checkov 2.0 versions earlier than Checkov 2.0.139. Checkov 1.0 versions are not impacted.

Published: 2021-06-10

Score: 6.7 Medium

EPSS: 3.4% Low

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Palo Alto Networks

Bridgecrew Checkov

affected

Version	Status	Constraints
`1.0 all`	unaffected	—
`2.0`	affected	< 2.0.139

Configuration 1 [-]

cpe:2.3:a:paloaltonetworks:bridgecrew_checkov:*:*:*:*:*:*:*:*

No data.

No data available yet.

Remediation

Vendor Solution

This issue is fixed in Checkov 2.0.139 and all later versions.

Vendor Workaround

Do not run Checkov on terraform files from untrusted sources or pull requests.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2021-26392	An unsafe deserialization vulnerability in Bridgecrew Checkov by Prisma Cloud allows arbitrary code execution when processing a malicious terraform file. This issue impacts Checkov 2.0 versions earlier than Checkov 2.0.139. Checkov 1.0 versions are not impacted.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact Low

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.03376.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://security.paloaltonetworks.com/CVE-2021-3040

History

No history.

Subscriptions

Paloaltonetworks Bridgecrew Checkov

MITRE

Status: PUBLISHED

Assigner: palo_alto

Published: 2021-06-10T12:33:06.414Z

Updated: 2024-09-16T18:23:39.787Z

Reserved: 2021-01-06T00:00:00.000Z

Link: CVE-2021-3040

Vulnrichment

No data.

NVD

Status : Modified

Published: 2021-06-10T13:15:08.343

Modified: 2024-11-21T06:20:49.213

Link: CVE-2021-3040

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-502

{"containers": {"cna": {"affected": [{"product": "Bridgecrew Checkov", "vendor": "Palo Alto Networks", "versions": [{"status": "unaffected", "version": "1.0 all"}, {"changes": [{"at": "2.0.139", "status": "unaffected"}], "lessThan": "2.0.139", "status": "affected", "version": "2.0", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Palo Alto Networks thanks Bryan Eastes for discovering and reporting this issue."}], "datePublic": "2021-06-09T00:00:00.000Z", "descriptions": [{"lang": "en", "value": "An unsafe deserialization vulnerability in Bridgecrew Checkov by Prisma Cloud allows arbitrary code execution when processing a malicious terraform file. This issue impacts Checkov 2.0 versions earlier than Checkov 2.0.139. Checkov 1.0 versions are not impacted."}], "exploits": [{"lang": "en", "value": "Palo Alto Networks is not aware of any malicious exploitation of this issue."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-06-10T12:33:06.000Z", "orgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0", "shortName": "palo_alto"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://security.paloaltonetworks.com/CVE-2021-3040"}], "solutions": [{"lang": "en", "value": "This issue is fixed in Checkov 2.0.139 and all later versions."}], "source": {"discovery": "EXTERNAL"}, "timeline": [{"lang": "en", "time": "2021-06-09T00:00:00.000Z", "value": "Initial publication"}], "title": "Bridgecrew Checkov: Unsafe deserialization of Terraform files allows code execution", "workarounds": [{"lang": "en", "value": "Do not run Checkov on terraform files from untrusted sources or pull requests."}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@paloaltonetworks.com", "DATE_PUBLIC": "2021-06-09T16:00:00.000Z", "ID": "CVE-2021-3040", "STATE": "PUBLIC", "TITLE": "Bridgecrew Checkov: Unsafe deserialization of Terraform files allows code execution"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Bridgecrew Checkov", "version": {"version_data": [{"version_affected": "<", "version_name": "2.0", "version_value": "2.0.139"}, {"version_affected": "!>=", "version_name": "2.0", "version_value": "2.0.139"}, {"version_affected": "!", "version_name": "1.0", "version_value": "all"}]}}]}, "vendor_name": "Palo Alto Networks"}]}}, "credit": [{"lang": "eng", "value": "Palo Alto Networks thanks Bryan Eastes for discovering and reporting this issue."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An unsafe deserialization vulnerability in Bridgecrew Checkov by Prisma Cloud allows arbitrary code execution when processing a malicious terraform file. This issue impacts Checkov 2.0 versions earlier than Checkov 2.0.139. Checkov 1.0 versions are not impacted."}]}, "exploit": [{"lang": "en", "value": "Palo Alto Networks is not aware of any malicious exploitation of this issue."}], "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-502 Deserialization of Untrusted Data"}]}]}, "references": {"reference_data": [{"name": "https://security.paloaltonetworks.com/CVE-2021-3040", "refsource": "MISC", "url": "https://security.paloaltonetworks.com/CVE-2021-3040"}]}, "solution": [{"lang": "en", "value": "This issue is fixed in Checkov 2.0.139 and all later versions."}], "source": {"discovery": "EXTERNAL"}, "timeline": [{"lang": "en", "time": "2021-06-09T00:00:00.000Z", "value": "Initial publication"}], "work_around": [{"lang": "en", "value": "Do not run Checkov on terraform files from untrusted sources or pull requests."}], "x_affectedList": ["Bridgecrew Checkov 2.0"]}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T16:45:50.966Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://security.paloaltonetworks.com/CVE-2021-3040"}]}]}, "cveMetadata": {"assignerOrgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0", "assignerShortName": "palo_alto", "cveId": "CVE-2021-3040", "datePublished": "2021-06-10T12:33:06.414Z", "dateReserved": "2021-01-06T00:00:00.000Z", "dateUpdated": "2024-09-16T18:23:39.787Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:paloaltonetworks:bridgecrew_checkov:*:*:*:*:*:*:*:*", "matchCriteriaId": "67DCC94F-DEE9-4508-94A5-0FEF7D857A45", "versionEndExcluding": "2.0.139", "versionStartIncluding": "2.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An unsafe deserialization vulnerability in Bridgecrew Checkov by Prisma Cloud allows arbitrary code execution when processing a malicious terraform file. This issue impacts Checkov 2.0 versions earlier than Checkov 2.0.139. Checkov 1.0 versions are not impacted."}, {"lang": "es", "value": "Una vulnerabilidad de deserializaci\u00f3n insegura en Bridgecrew Checkov de Prisma Cloud permite la ejecuci\u00f3n de c\u00f3digo arbitrario al procesar un archivo terraform malicioso. Este problema afecta a las versiones de Checkov 2.0 anteriores a Checkov 2.0.139. Las versiones de Checkov 1.0 no se ven afectadas"}], "id": "CVE-2021-3040", "lastModified": "2024-11-21T06:20:49.213", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.5, "source": "psirt@paloaltonetworks.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-06-10T13:15:08.343", "references": [{"source": "psirt@paloaltonetworks.com", "tags": ["Vendor Advisory"], "url": "https://security.paloaltonetworks.com/CVE-2021-3040"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://security.paloaltonetworks.com/CVE-2021-3040"}], "sourceIdentifier": "psirt@paloaltonetworks.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "psirt@paloaltonetworks.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-502"}], "source": "nvd@nist.gov", "type": "Primary"}]}