Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Terraform goutils library critical vulnerability CVE-2021-4238 #32606

Closed
dyferx opened this issue Jan 31, 2023 · 5 comments · Fixed by #32609
Closed

Terraform goutils library critical vulnerability CVE-2021-4238 #32606

dyferx opened this issue Jan 31, 2023 · 5 comments · Fixed by #32609
Labels
bug new new issue not yet triaged v1.3 Issues (primarily bugs) reported against v1.3 releases

Comments

@dyferx
Copy link

dyferx commented Jan 31, 2023

Terraform Version

1.3.7

Terraform Configuration Files

n/a

Debug Output

n/a

Expected Behavior

Terraform binary file passed vulnerability scans

Actual Behavior

Multiple vulnerability scanners (for example Trivy, Grype) are finding critical vulnerability ( CVE-2021-4238 ) in Masterminds/goutils v1.1.0 library used by latest terraform. This is blocking our build pipelines (we are building docker images with terraform inside)

Steps to Reproduce

  1. Scan any docker image with latest terraform inside with Trivy or Grype vulnerability scanners.

Additional Context

This can be easy fixed by updating github.com/Masterminds/goutils library to v1.1.1

References

No response
@dyferx dyferx added bug new new issue not yet triaged labels Jan 31, 2023
@dyferx dyferx changed the title Terraform goutils library Vulnerability CVE-2021-4238 Terraform goutils library vulnerability CVE-2021-4238 Jan 31, 2023
@dyferx dyferx changed the title Terraform goutils library vulnerability CVE-2021-4238 Terraform goutils library critical vulnerability CVE-2021-4238 Jan 31, 2023
@mmorejon
Copy link

Same error here!

@2tim
Copy link

2tim commented Jan 31, 2023
edited

Related: #32188

@crw
Copy link
Collaborator

crw commented Jan 31, 2023

Thanks for the report! Per the devs' initial review, the CVE does not affect Terraform's usage of the library, so it is effectively a false positive. That said, we will endeavor to upgrade the library at the earliest convenience. Thanks for bringing it to our attention.

@crw crw added the v1.3 Issues (primarily bugs) reported against v1.3 releases label Jan 31, 2023
@alisdair alisdair mentioned this issue Jan 31, 2023
Merged
@crw crw linked a pull request Jan 31, 2023 that will close this issue
go get -u github.com/mitchellh/cli #32609
Merged
@alisdair
Copy link
Member

This will be fixed in the next 1.3 patch release.

@kaplanlior kaplanlior mentioned this issue Feb 27, 2023
Closed
@github-actions
Copy link

github-actions bot commented Mar 3, 2023

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Mar 3, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug new new issue not yet triaged v1.3 Issues (primarily bugs) reported against v1.3 releases
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

go get -u github.com/mitchellh/cli hashicorp/terraform
5 participants
@crw @alisdair @2tim @mmorejon @dyferx