GHSA-gwch-7m8v-7544

Suggest an improvement
Source
https://github.com/advisories/GHSA-gwch-7m8v-7544
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-gwch-7m8v-7544/GHSA-gwch-7m8v-7544.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-gwch-7m8v-7544
Aliases
Published
2026-02-02T20:25:53Z
Modified
2026-02-05T06:56:04.104744Z
Severity
  • 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
terraform-provider-proxmox has insecure sudo recommendation in the documentation
Details

Note: It is uncertain whether this constitutes a vulnerability or should be filed as an issue instead.

Summary

In the SSH configuration documentation, the sudoer line that was suggested can be escalated to edit any files in the system.

Details

The following line were suggested for addition in the sudoers file:

terraform ALL=(root) NOPASSWD: /usr/bin/tee /var/lib/vz/*

But this is highly insecure as the folder can be escaped using ../ and any files can be edited on the system.

PoC

Using a terraform user with the previously mentioned line in the /etc/sudoers file, a /etc/sudoers.d/sudo file can be added using this command:

echo "ALL=(ALL) NOPASSWD:ALL" | tee /var/lib/vz/../../../etc/sudoers.d/sudo

This grants access to the full root of the node.

Impact

This breaches the access limits of the Terraform user.

Suggested workaround

Use a strict regex on the command to allow only the names that should be pushed by this user.

Example for cloudinit yaml files:

terraform ALL=(root) NOPASSWD: /usr/bin/tee /var/lib/vz/snippets/[A-Za-z0-9-]*\\.yaml
Database specific 
{
    "nvd_published_at": "2026-02-04T21:16:01Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-1188",
        "CWE-22"
    ],
    "github_reviewed_at": "2026-02-02T20:25:53Z",
    "severity": "HIGH"
}
References

Affected packages

Go / github.com/bpg/terraform-provider-proxmox

Package

Name
github.com/bpg/terraform-provider-proxmox
View open source insights on deps.dev
Purl
pkg:golang/github.com/bpg/terraform-provider-proxmox

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.93.1

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-gwch-7m8v-7544/GHSA-gwch-7m8v-7544.json"