Vulnerable Library - github.com/hashiCorp/terraform-v0.11.11

Terraform enables you to safely and predictably create, change, and improve infrastructure.

Library home page: https://proxy.golang.org/github.com/hashi!corp/terraform/@v/v0.11.11.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy:

• ❌ github.com/hashiCorp/terraform-v0.11.11 (Vulnerable Library)

Found in HEAD commit: c76b5f6117e71bf126f86fe0b7201056a9425e40

Found in base branch: master

Vulnerability Details

The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String.

Publish Date: 2020-06-17

URL: CVE-2020-14040

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://osv.dev/vulnerability/GO-2020-0015

Release Date: 2020-06-17

Fix Resolution: v0.3.3

Vulnerable Library - github.com/hashiCorp/terraform-v0.11.11

Terraform enables you to safely and predictably create, change, and improve infrastructure.

Library home page: https://proxy.golang.org/github.com/hashi!corp/terraform/@v/v0.11.11.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy:

• ❌ github.com/hashiCorp/terraform-v0.11.11 (Vulnerable Library)

Found in HEAD commit: c76b5f6117e71bf126f86fe0b7201056a9425e40

Found in base branch: master

Vulnerability Details

Go before 1.13.15 and 14.x before 1.14.7 can have an infinite read loop in ReadUvarint and ReadVarint in encoding/binary via invalid inputs.

Publish Date: 2020-08-06

URL: CVE-2020-16845

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-q6gq-997w-f55g

Release Date: 2020-08-06

Fix Resolution: go1.13.15,go1.14.7,github.com/ulikunitz/xz - v0.5.8

Vulnerable Library - github.com/hashiCorp/terraform-v0.11.11

Terraform enables you to safely and predictably create, change, and improve infrastructure.

Library home page: https://proxy.golang.org/github.com/hashi!corp/terraform/@v/v0.11.11.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy:

• ❌ github.com/hashiCorp/terraform-v0.11.11 (Vulnerable Library)

Found in HEAD commit: c76b5f6117e71bf126f86fe0b7201056a9425e40

Found in base branch: master

Vulnerability Details

The html package (aka x/net/html) through 2018-09-25 in Go mishandles , leading to a "panic: runtime error" (index out of range) in (*insertionModeStack).pop in node.go, called from inHeadIM, during an html.Parse call.

Publish Date: 2018-10-01

URL: CVE-2018-17848

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-17848

Release Date: 2018-10-01

Fix Resolution: golang-golang-x-net-dev - 1:0.0+git20181201.351d144+dfsg-3

---

Step up your Open Source Security Game with Mend here

Vulnerable Library - github.com/hashiCorp/terraform-v0.11.11

Terraform enables you to safely and predictably create, change, and improve infrastructure.

Library home page: https://proxy.golang.org/github.com/hashi!corp/terraform/@v/v0.11.11.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy:

• ❌ github.com/hashiCorp/terraform-v0.11.11 (Vulnerable Library)

Found in HEAD commit: c76b5f6117e71bf126f86fe0b7201056a9425e40

Found in base branch: master

Vulnerability Details

The html package (aka x/net/html) through 2018-09-25 in Go mishandles , leading to a "panic: runtime error" (index out of range) in (*nodeStack).pop in node.go, called from (*parser).clearActiveFormattingElements, during an html.Parse call.

Publish Date: 2018-10-01

URL: CVE-2018-17847

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-17847

Release Date: 2018-10-01

Fix Resolution: golang-golang-x-net-dev - 1:0.0+git20181201.351d144+dfsg-3

Step up your Open Source Security Game with Mend here

Vulnerable Library - github.com/hashiCorp/terraform-v0.11.11

Terraform enables you to safely and predictably create, change, and improve infrastructure.

Library home page: https://proxy.golang.org/github.com/hashi!corp/terraform/@v/v0.11.11.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy:

• ❌ github.com/hashiCorp/terraform-v0.11.11 (Vulnerable Library)

Found in HEAD commit: c76b5f6117e71bf126f86fe0b7201056a9425e40

Found in base branch: master

Vulnerability Details

The html package (aka x/net/html) through 2018-09-25 in Go mishandles

Publish Date: 2018-10-01

URL: CVE-2018-17846

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-17846

Release Date: 2018-10-01

Fix Resolution: golang-golang-x-net-dev - 1:0.0+git20181201.351d144+dfsg-3

Vulnerable Library - github.com/hashiCorp/terraform-v0.11.11

Terraform enables you to safely and predictably create, change, and improve infrastructure.

Library home page: https://proxy.golang.org/github.com/hashi!corp/terraform/@v/v0.11.11.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy:

• ❌ github.com/hashiCorp/terraform-v0.11.11 (Vulnerable Library)

Found in HEAD commit: c76b5f6117e71bf126f86fe0b7201056a9425e40

Found in base branch: master

Vulnerability Details

libcontainer/user/user.go in runC before 0.1.0, as used in Docker before 1.11.2, improperly treats a numeric UID as a potential username, which allows local users to gain privileges via a numeric username in the password file in a container.

Publish Date: 2016-06-01

URL: CVE-2016-3697

CVSS 3 Score Details (7.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-3697

Release Date: 2016-06-01

Fix Resolution: 0.1.0,1.11.2

Vulnerable Library - github.com/hashiCorp/terraform-v0.11.11

Terraform enables you to safely and predictably create, change, and improve infrastructure.

Library home page: https://proxy.golang.org/github.com/hashi!corp/terraform/@v/v0.11.11.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy:

• ❌ github.com/hashiCorp/terraform-v0.11.11 (Vulnerable Library)

Found in HEAD commit: c76b5f6117e71bf126f86fe0b7201056a9425e40

Found in base branch: master

Vulnerability Details

crpyto/tls in Go 1.1 before 1.3.2, when SessionTicketsDisabled is enabled, allows man-in-the-middle attackers to spoof clients via unspecified vectors.

Publish Date: 2014-10-07

URL: CVE-2014-7189

CVSS 3 Score Details (3.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-7189

Release Date: 2014-10-07

Fix Resolution: 1.3.2

Vulnerable Library - github.com/hashiCorp/terraform-v0.11.11

Terraform enables you to safely and predictably create, change, and improve infrastructure.

Library home page: https://proxy.golang.org/github.com/hashi!corp/terraform/@v/v0.11.11.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy:

• ❌ github.com/hashiCorp/terraform-v0.11.11 (Vulnerable Library)

Found in HEAD commit: c76b5f6117e71bf126f86fe0b7201056a9425e40

Found in base branch: master

Vulnerability Details

The x/crypto/ssh package before 0.0.0-20211202192323-5770296d904e of golang.org/x/crypto allows an attacker to panic an SSH server.

Publish Date: 2022-09-06

URL: CVE-2021-43565

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-43565

Release Date: 2021-11-10

Fix Resolution: golang-golang-x-crypto-dev - 1:0.0~git20211202.5770296-1;golang-go.crypto-dev - 1:0.0~git20211202.5770296-1

Vulnerable Library - github.com/hashiCorp/terraform-v0.11.11

Terraform enables you to safely and predictably create, change, and improve infrastructure.

Library home page: https://proxy.golang.org/github.com/hashi!corp/terraform/@v/v0.11.11.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy:

• ❌ github.com/hashiCorp/terraform-v0.11.11 (Vulnerable Library)

Found in HEAD commit: c76b5f6117e71bf126f86fe0b7201056a9425e40

Found in base branch: master

Vulnerability Details

The html package (aka x/net/html) through 2018-09-17 in Go mishandles , leading to a "panic: runtime error" in parseCurrentToken in parse.go during an html.Parse call.

Publish Date: 2018-09-17

URL: CVE-2018-17142

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17142

Release Date: 2018-09-17

Fix Resolution: net- go1.11.1

Step up your Open Source Security Game with Mend here

Vulnerable Library - github.com/hashiCorp/terraform-v0.11.11

Terraform enables you to safely and predictably create, change, and improve infrastructure.

Library home page: https://proxy.golang.org/github.com/hashi!corp/terraform/@v/v0.11.11.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy:

• ❌ github.com/hashiCorp/terraform-v0.11.11 (Vulnerable Library)

Found in HEAD commit: c76b5f6117e71bf126f86fe0b7201056a9425e40

Found in base branch: master

Vulnerability Details

jwt-go before 4.0.0-preview1 allows attackers to bypass intended access restrictions in situations with []string{} for m["aud"] (which is allowed by the specification). Because the type assertion fails, "" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check.

Publish Date: 2020-09-30

URL: CVE-2020-26160

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-w73w-5m7g-f7qc

Release Date: 2020-09-30

Fix Resolution: 4.0.0-preview1

Vulnerable Library - github.com/hashiCorp/terraform-v0.11.11

Terraform enables you to safely and predictably create, change, and improve infrastructure.

Library home page: https://proxy.golang.org/github.com/hashi!corp/terraform/@v/v0.11.11.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy:

• ❌ github.com/hashiCorp/terraform-v0.11.11 (Vulnerable Library)

Found in HEAD commit: c76b5f6117e71bf126f86fe0b7201056a9425e40

Found in base branch: master

Vulnerability Details

golang.org/x/text/language in golang.org/x/text before 0.3.7 can panic with an out-of-bounds read during BCP 47 language tag parsing. Index calculation is mishandled. If parsing untrusted user input, this can be used as a vector for a denial-of-service attack.

Publish Date: 2022-12-26

URL: CVE-2021-38561

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://osv.dev/vulnerability/GO-2021-0113

Release Date: 2021-08-12

Fix Resolution: v0.3.7

Vulnerable Library - github.com/hashiCorp/terraform-v0.11.11

Terraform enables you to safely and predictably create, change, and improve infrastructure.

Library home page: https://proxy.golang.org/github.com/hashi!corp/terraform/@v/v0.11.11.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy:

• ❌ github.com/hashiCorp/terraform-v0.11.11 (Vulnerable Library)

Found in HEAD commit: c76b5f6117e71bf126f86fe0b7201056a9425e40

Found in base branch: master

Vulnerability Details

golang.org/x/net before v0.0.0-20210520170846-37e1c6afe023 allows attackers to cause a denial of service (infinite loop) via crafted ParseFragment input.

Publish Date: 2021-05-26

URL: CVE-2021-33194

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33194

Release Date: 2021-05-26

Fix Resolution: golang.org/x/net - v0.0.0-20210520170846-37e1c6afe023

Vulnerable Library - github.com/hashiCorp/terraform-v0.11.11

Terraform enables you to safely and predictably create, change, and improve infrastructure.

Library home page: https://proxy.golang.org/github.com/hashi!corp/terraform/@v/v0.11.11.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy:

• ❌ github.com/hashiCorp/terraform-v0.11.11 (Vulnerable Library)

Found in HEAD commit: c76b5f6117e71bf126f86fe0b7201056a9425e40

Found in base branch: master

Vulnerability Details

HashiCorp go-slug up to 0.4.3 did not fully protect against directory traversal while unpacking tar archives, and protections could be bypassed with specific constructions of multiple symlinks. Fixed in 0.5.0.

Publish Date: 2020-12-03

URL: CVE-2020-29529

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Release Date: 2020-12-03

Fix Resolution: v0.5.0

Vulnerable Library - github.com/hashiCorp/terraform-v0.11.11

Terraform enables you to safely and predictably create, change, and improve infrastructure.

Library home page: https://proxy.golang.org/github.com/hashi!corp/terraform/@v/v0.11.11.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy:

• ❌ github.com/hashiCorp/terraform-v0.11.11 (Vulnerable Library)

Found in HEAD commit: c76b5f6117e71bf126f86fe0b7201056a9425e40

Found in base branch: master

Vulnerability Details

xz is a compression and decompression library focusing on the xz format completely written in Go. The function readUvarint used to read the xz container format may not terminate a loop provide malicous input. The problem has been fixed in release v0.5.8. As a workaround users can limit the size of the compressed file input to a reasonable size for their use case. The standard library had recently the same issue and got the CVE-2020-16845 allocated.

Publish Date: 2021-04-28

URL: CVE-2021-29482

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-25xm-hr59-7c27

Release Date: 2021-04-28

Fix Resolution: v0.5.8

Vulnerable Library - github.com/hashiCorp/terraform-v0.11.11

Terraform enables you to safely and predictably create, change, and improve infrastructure.

Library home page: https://proxy.golang.org/github.com/hashi!corp/terraform/@v/v0.11.11.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy:

• ❌ github.com/hashiCorp/terraform-v0.11.11 (Vulnerable Library)

Found in HEAD commit: c76b5f6117e71bf126f86fe0b7201056a9425e40

Found in base branch: master

Vulnerability Details

A nil pointer dereference in the golang.org/x/crypto/ssh component through v0.0.0-20201203163018-be400aefbc4c for Go allows remote attackers to cause a denial of service against SSH servers.

Publish Date: 2020-12-17

URL: CVE-2020-29652

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://groups.google.com/g/golang-announce/c/ouZIlBimOsE?pli=1

Release Date: 2020-12-17

Fix Resolution: v0.0.0-20201216223049-8b5274cf687f

Vulnerable Library - github.com/hashiCorp/terraform-v0.11.11

Terraform enables you to safely and predictably create, change, and improve infrastructure.

Library home page: https://proxy.golang.org/github.com/hashi!corp/terraform/@v/v0.11.11.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy:

• ❌ github.com/hashiCorp/terraform-v0.11.11 (Vulnerable Library)

Found in HEAD commit: c76b5f6117e71bf126f86fe0b7201056a9425e40

Found in base branch: master

Vulnerability Details

The html package (aka x/net/html) through 2018-09-17 in Go mishandles <isindex/action=0>, leading to a "panic: runtime error" in inBodyIM in parse.go during an html.Parse call.

Publish Date: 2018-09-17

URL: CVE-2018-17143

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17143

Release Date: 2018-09-17

Fix Resolution: net- go1.11.1

Step up your Open Source Security Game with Mend here

Vulnerable Library - github.com/hashiCorp/terraform-v0.11.11

Terraform enables you to safely and predictably create, change, and improve infrastructure.

Library home page: https://proxy.golang.org/github.com/hashi!corp/terraform/@v/v0.11.11.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy:

• ❌ github.com/hashiCorp/terraform-v0.11.11 (Vulnerable Library)

Found in HEAD commit: c76b5f6117e71bf126f86fe0b7201056a9425e40

Found in base branch: master

Vulnerability Details

golang.org/x/crypto before v0.0.0-20200220183623-bac4c82f6975 for Go allows a panic during signature verification in the golang.org/x/crypto/ssh package. A client can attack an SSH server that accepts public keys. Also, a server can attack any SSH client.

Publish Date: 2020-02-20

URL: CVE-2020-9283

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9283

Release Date: 2020-02-20

Fix Resolution: github.com/golang/crypto - bac4c82f69751a6dd76e702d54b3ceb88adab236