Improper Neutralization of Special Elements used in a Command (‘Command Injection’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-77: Improper Neutralization of Special Elements used in a Command (‘Command Injection’) |
| OWASP | A03:2021 - Injection |
| Confidence Level | High |
| Impact Level | Medium |
| Likelihood Level | High |
Description#
Using ’local-exec’ or ‘remote-exec’ provisioners in Terraform allows arbitrary shell commands to run during resource creation, which is risky and difficult to track. This can introduce unintended changes and opens the door to command injection vulnerabilities.
Impact#
If exploited, attackers could execute unauthorized commands on infrastructure, leading to potential data breaches, system compromise, or further lateral movement within the environment. This undermines infrastructure security and can result in loss of control or exposure of sensitive resources.