GHSA-GWCH-7M8V-7544

Vulnerability from github – Published: 2026-02-02 20:25 – Updated: 2026-02-04 21:58
VLAI?
Summary
terraform-provider-proxmox has insecure sudo recommendation in the documentation
Details

Note: It is uncertain whether this constitutes a vulnerability or should be filed as an issue instead.

Summary

In the SSH configuration documentation, the sudoer line that was suggested can be escalated to edit any files in the system.

Details

The following line were suggested for addition in the sudoers file:

terraform ALL=(root) NOPASSWD: /usr/bin/tee /var/lib/vz/*

But this is highly insecure as the folder can be escaped using ../ and any files can be edited on the system.

PoC

Using a terraform user with the previously mentioned line in the /etc/sudoers file, a /etc/sudoers.d/sudo file can be added using this command:

echo "ALL=(ALL) NOPASSWD:ALL" | tee /var/lib/vz/../../../etc/sudoers.d/sudo

This grants access to the full root of the node.

Impact

This breaches the access limits of the Terraform user.

Suggested workaround

Use a strict regex on the command to allow only the names that should be pushed by this user.

Example for cloudinit yaml files:

terraform ALL=(root) NOPASSWD: /usr/bin/tee /var/lib/vz/snippets/[A-Za-z0-9-]*\\.yaml
Severity ?
8.7 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/bpg/terraform-provider-proxmox"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.93.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-25499"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1188",
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-02T20:25:53Z",
    "nvd_published_at": "2026-02-04T21:16:01Z",
    "severity": "HIGH"
  },
  "details": "\u003e Note: It is uncertain whether this constitutes a vulnerability or should be filed as an issue instead.\n\n### Summary\n\nIn the SSH configuration documentation, the sudoer line that was suggested can be escalated to edit any files in the system.\n\n### Details\n\nThe following line were suggested for addition in the sudoers file:\n\n```bash\nterraform ALL=(root) NOPASSWD: /usr/bin/tee /var/lib/vz/*\n```\n\nBut this is highly insecure as  the folder can be escaped using `../` and any files can be edited on the system.\n\n### PoC\n\nUsing a `terraform` user with the previously mentioned line in the `/etc/sudoers` file, a `/etc/sudoers.d/sudo` file can be added using this command:\n\n`echo \"ALL=(ALL) NOPASSWD:ALL\" | tee /var/lib/vz/../../../etc/sudoers.d/sudo`\n\nThis grants access to the full root of the node.\n\n### Impact\n\nThis breaches the access limits of the Terraform user.\n\n### Suggested workaround\n\nUse a strict regex on the command to allow only the names that should be pushed by this user.\n\nExample for cloudinit yaml files:\n\n```bash\nterraform ALL=(root) NOPASSWD: /usr/bin/tee /var/lib/vz/snippets/[A-Za-z0-9-]*\\\\.yaml\n```",
  "id": "GHSA-gwch-7m8v-7544",
  "modified": "2026-02-04T21:58:25Z",
  "published": "2026-02-02T20:25:53Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/bpg/terraform-provider-proxmox/security/advisories/GHSA-gwch-7m8v-7544"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25499"
    },
    {
      "type": "WEB",
      "url": "https://github.com/bpg/terraform-provider-proxmox/commit/bd604c41a31e2a55dd6acc01b0608be3ea49c023"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/bpg/terraform-provider-proxmox"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "terraform-provider-proxmox has insecure sudo recommendation in the documentation"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.