Tenable Terrascan Server-Side Request Forgery Vulnerability in ARM and CloudFormation Template Processing

A Server-Side Request Forgery (SSRF) vulnerability has been identified in Tenable Terrascan versions through 1.18.3. This vulnerability arises when Terrascan is run in server mode, where it processes uploaded Infrastructure as Code (IaC) templates such as Azure Resource Manager (ARM) or AWS CloudFormation. During this parsing, Terrascan resolves external URLs referenced in the templates using the hashicorp/go-getter library, with all default detectors activated, including the FileDetector. An unauthenticated remote attacker can exploit this by uploading a template that includes a link to an attacker-controlled URL. Terrascan will then fetch this URL server-side, potentially leading to unauthorized access to internal resources or files. This issue is particularly concerning because it allows direct access to local files without the need for a specific redirect, which is usually required for file URLs.

Impact

Exploitation of this vulnerability allows for unauthorized server-side requests to be made, potentially leading to local file disclosure or access to internal services.