I wonder if this is valid <https github com pulumi pulumi va Pulumi Community #general

I wonder if this is valid. <https://github.com/pul...

late-chef-72896

04/28/2025, 2:35 PM

I wonder if this is valid. https://github.com/pulumi/pulumi-vault/blob/c35b3fe827b604c0da529c79e59aed3b9f95c7a3/provider/go.mod#L297 that version is causing issues with

CVE-2022-26945

. These is also in import of

v1.7.5

here https://github.com/pulumi/pulumi-vault/blob/c35b3fe827b604c0da529c79e59aed3b9f95c7a3/provider/go.mod#L123

late-chef-72896

04/28/2025, 2:35 PM

This is causing renovate to fail in our pipeline with

Copy code

.cache/pulumi/plugins/resource-vault-v6.7.0/pulumi-resource-vault (gobinary)
16:07:04  ============================================================================
16:07:04  Total: 1 (CRITICAL: 1)
16:07:04  
16:07:04  ┌────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬────────────────────────────────────────────┐
16:07:04  │            Library             │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                   Title                    │
16:07:04  ├────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼────────────────────────────────────────────┤
16:07:04  │ <http://github.com/hashicorp/go-getter|github.com/hashicorp/go-getter> │ CVE-2022-26945 │ CRITICAL │ fixed  │ v1.4.0            │ 1.6.1, 2.1.0  │ go-getter: command injection vulnerability │
16:07:04  │                                │                │          │        │                   │               │ <https://avd.aquasec.com/nvd/cve-2022-26945> │
16:07:04  └────────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴───────────────────────────────────────────

Open in Slack

Previous Next