Skip to main content

Terraform Provider

3 CVEs product

Monthly

CVE-2026-25499 Go HIGH POC PATCH This Week

The Terraform/OpenTofu Proxmox Provider prior to version 0.93.1 contains a path traversal vulnerability in its SSH sudoer configuration documentation that permits attackers to escape directory restrictions using ../ sequences and modify arbitrary files on the system. Public exploit code exists for this vulnerability, affecting users who implement the documented SSH configuration. The vulnerability has been patched in version 0.93.1 and a fix is available.

SSH Proxmox Terraform Provider Suse
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-13357 Go HIGH PATCH This Month

Vault’s Terraform Provider incorrectly set the default deny_null_bind parameter for the LDAP auth method to false by default, potentially resulting in an insecure configuration. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Authentication Bypass Hashicorp Terraform Provider Suse
NVD
CVSS 3.1
7.4
EPSS
0.1%
CVE-2021-30476 CRITICAL POC Act Now

HashiCorp Terraform’s Vault Provider (terraform-provider-vault) did not correctly configure GCE-type bound labels for Vault’s GCP auth method. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Hashicorp Terraform Provider
NVD GitHub
CVSS 3.1
9.8
EPSS
1.6%
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

The Terraform/OpenTofu Proxmox Provider prior to version 0.93.1 contains a path traversal vulnerability in its SSH sudoer configuration documentation that permits attackers to escape directory restrictions using ../ sequences and modify arbitrary files on the system. Public exploit code exists for this vulnerability, affecting users who implement the documented SSH configuration. The vulnerability has been patched in version 0.93.1 and a fix is available.

SSH Proxmox Terraform Provider +1
NVD GitHub
EPSS 0% CVSS 7.4
HIGH PATCH This Month

Vault’s Terraform Provider incorrectly set the default deny_null_bind parameter for the LDAP auth method to false by default, potentially resulting in an insecure configuration. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Authentication Bypass Hashicorp Terraform Provider +1
NVD
EPSS 2% CVSS 9.8
CRITICAL POC Act Now

HashiCorp Terraform’s Vault Provider (terraform-provider-vault) did not correctly configure GCE-type bound labels for Vault’s GCP auth method. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Hashicorp Terraform Provider
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy