CVE-2026-47357
7.5 HIGHTerrascan v1.18.3 and prior are vulnerable to Server-Side Request Forgery (SSRF) via the remote_url parameter in the remote directory sca...
Published: 2026-05-19 · Last updated: 2026-05-20
Severity and scoring
- CVSS
- 7.5 HIGH
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- CWE
- CWE-610, CWE-73, CWE-918
Affected products
| Vendor | Product |
|---|---|
| tenable | terrascan |
Description
Terrascan v1.18.3 and prior are vulnerable to Server-Side Request Forgery (SSRF) via the remote_url parameter in the remote directory scan endpoint (POST /v1/{iac}/{iacVersion}/{cloud}/remote/dir/scan) when running in server mode. An unauthenticated remote attacker can supply an attacker-controlled HTTP URL as remote_url with remote_type set to "http". The URL is passed directly to hashicorp/go-getter (v1.7.5) without validation. Go-getter's HttpGetter supports the X-Terraform-Get response header, allowing the attacker's server to redirect the download to a file:// URL, enabling local file read. Additionally, HttpGetter has Netrc set to true, causing it to read ~/.netrc and send stored credentials to attacker-controlled hostnames. This affects deployments running terrascan in server mode (terrascan server), which binds to 0.0.0.0 with no authentication. Note: Terrascan was archived in August 2023 and no patch will be released.
Source: NVD
References
Related CVEs
Same vendor
- CVE-2026-47358 — Terrascan v1.18.3 and prior are vulnerable to Server-Side Request Forgery (SSRF) via external URL resolution in uploaded IaC templates wh... (7.5 HIGH)
- CVE-2026-47356 — Terrascan v1.18.3 and prior are vulnerable to Server-Side Request Forgery (SSRF) via the webhook_url parameter in the file scan endpoint ... (7.5 HIGH)
- CVE-2022-0778 — The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli (7.5 HIGH)
- CVE-2020-1971 — The X.509 GeneralName type is a generic type for representing different types of names (5.9 MEDIUM)
- CVE-2019-16168 — In SQLite through 3.29.0, whereLoopAddBtreeIndex in sqlite3.c can crash a browser or other application because of missing validation of a... (6.5 MEDIUM)
Same CWE
- CVE-2026-10303 — In ServerCo getssl version 2.49 and prior, the ACME challenge token returned to the client was not strictly validated against RFC 8555 be... (7.4 HIGH)
- CVE-2026-53859 — OpenClaw before 2026.5.26 contains a hostname validation vulnerability allowing attackers to bypass blocklist comparisons using trailing-... (6.5 MEDIUM)
- CVE-2026-47684 — Sync-in Server is a secure, open-source platform for file storage, sharing, collaboration, and syncing (7.7 HIGH)
- CVE-2025-60175 — Administrator Server Side Request Forgery (SSRF) in PopAd <= 1.0.4 versions (4.4 MEDIUM)
- CVE-2026-50888 — An authenticated Server-Side Request Forgery (SSRF) in the custom scraper subsystem component of Benjamin Jonard Koillection v1.8.0 allow... (8.1 HIGH)