UNCLASSIFIED - NO CUI

Skip to content

chore(findings): hashicorp/terraform

Summary

hashicorp/terraform has 57 new findings discovered during continuous monitoring.

More information can be found in the VAT located here: https://vat.dso.mil/vat/image?imageName=hashicorp/terraform&tag=1.12.0&branch=master

EPSS (Exploit Prediction Scoring System) provides an estimate of the likelihood that a vulnerability will be exploited in the wild.

KEV (Known Exploited Vulnerabilities) indicates whether a vulnerability is actively being exploited according to CISA.

id source severity package impact workaround epss_score kev
CVE-2022-0529 Twistlock CVE Low unzip-6.0-58.el9_5 0.00242 false
CVE-2022-0529 Anchore CVE Low unzip-6.0-58.el9_5 0.00242 false
CVE-2022-41723 Twistlock CVE Medium git-lfs-3.6.1-2.el9_6 0.00229 false
CVE-2022-41723 Anchore CVE Medium git-lfs-3.6.1-2.el9_6 0.00229 false
CVE-2021-4217 Twistlock CVE Low unzip-6.0-58.el9_5 0.00172 false
CVE-2021-4217 Anchore CVE Low unzip-6.0-58.el9_5 0.00172 false
CVE-2017-1000383 Twistlock CVE Low emacs-27.2-14.el9_6.2 0.00142 false
CVE-2022-0530 Twistlock CVE Low unzip-6.0-58.el9_5 0.00120 false
CVE-2022-0530 Anchore CVE Low unzip-6.0-58.el9_5 0.00120 false
CVE-2023-29409 Twistlock CVE Medium git-lfs-3.6.1-2.el9_6 0.00112 false
CVE-2023-29409 Anchore CVE Medium git-lfs-3.6.1-2.el9_6 0.00112 false
CVE-2023-24536 Twistlock CVE Medium git-lfs-3.6.1-2.el9_6 0.00066 false
CVE-2023-24536 Anchore CVE Medium git-lfs-3.6.1-2.el9_6 0.00066 false
CVE-2025-47907 Anchore CVE High stdlib-go1.24.2 0.00059 false
CVE-2025-8959 Twistlock CVE High github.com/hashicorp/go-getter-v1.7.8 0.00057 false
CVE-2025-58058 Twistlock CVE Medium github.com/ulikunitz/xz-v0.5.10 0.00051 false
CVE-2022-41725 Twistlock CVE Medium git-lfs-3.6.1-2.el9_6 0.00051 false
CVE-2022-41725 Anchore CVE Medium git-lfs-3.6.1-2.el9_6 0.00051 false
CVE-2023-50495 Anchore CVE Low ncurses-6.2-10.20210508.el9_6.2 0.00050 false
CVE-2023-24534 Twistlock CVE Medium git-lfs-3.6.1-2.el9_6 0.00045 false
CVE-2023-24534 Anchore CVE Medium git-lfs-3.6.1-2.el9_6 0.00045 false
CVE-2024-45336 Twistlock CVE Medium git-lfs-3.6.1-2.el9_6 0.00041 false
CVE-2024-45336 Anchore CVE Medium git-lfs-3.6.1-2.el9_6 0.00041 false
CVE-2024-8244 Twistlock CVE Medium git-lfs-3.6.1-2.el9_6 0.00039 false
CVE-2024-8244 Anchore CVE Medium git-lfs-3.6.1-2.el9_6 0.00039 false
CVE-2024-45341 Twistlock CVE Low git-lfs-3.6.1-2.el9_6 0.00032 false
CVE-2024-45341 Anchore CVE Low git-lfs-3.6.1-2.el9_6 0.00032 false
CVE-2025-8556 Twistlock CVE Low github.com/cloudflare/circl-v1.4.0 0.00024 false
CVE-2022-23806 Twistlock CVE Medium git-lfs-3.6.1-2.el9_6 0.00020 false
CVE-2025-4673 Anchore CVE Medium stdlib-go1.24.2 0.00019 false
CVE-2025-4673 Twistlock CVE Medium git-lfs-3.6.1-2.el9_6 0.00019 false
CVE-2025-4673 Anchore CVE Medium git-lfs-3.6.1-2.el9_6 0.00019 false
CVE-2025-4673 Twistlock CVE Low net/http-1.24.2 0.00019 false
CVE-2025-32728 Twistlock CVE Medium openssh-8.7p1-45.el9 0.00019 false
CVE-2025-32728 Anchore CVE Medium openssh-clients-8.7p1-45.el9 0.00019 false
CVE-2025-32728 Anchore CVE Medium openssh-8.7p1-45.el9 0.00019 false
CVE-2022-41724 Twistlock CVE Medium git-lfs-3.6.1-2.el9_6 0.00016 false
CVE-2022-41724 Anchore CVE Medium git-lfs-3.6.1-2.el9_6 0.00016 false
CVE-2025-48386 Twistlock CVE Medium git-2.47.3-1.el9_6 0.00015 false
CVE-2025-48386 Anchore CVE Medium git-core-2.47.3-1.el9_6 0.00015 false
CVE-2025-48386 Anchore CVE Medium perl-Git-2.47.3-1.el9_6 0.00015 false
CVE-2025-48386 Anchore CVE Medium git-core-doc-2.47.3-1.el9_6 0.00015 false
CVE-2025-48386 Anchore CVE Medium git-2.47.3-1.el9_6 0.00015 false
CVE-2025-22870 Twistlock CVE Medium git-lfs-3.6.1-2.el9_6 0.00015 false
CVE-2025-22870 Anchore CVE Medium git-lfs-3.6.1-2.el9_6 0.00015 false
CVE-2025-22874 Twistlock CVE Low crypto/x509-1.24.2 0.00012 false
CVE-2025-22874 Anchore CVE High stdlib-go1.24.2 0.00012 false
CVE-2025-22866 Twistlock CVE Medium git-lfs-3.6.1-2.el9_6 0.00012 false
CVE-2025-22866 Anchore CVE Medium git-lfs-3.6.1-2.el9_6 0.00012 false
CVE-2023-51767 Twistlock CVE Medium openssh-8.7p1-45.el9 0.00012 false
CVE-2023-51767 Anchore CVE Medium openssh-clients-8.7p1-45.el9 0.00012 false
CVE-2023-51767 Anchore CVE Medium openssh-8.7p1-45.el9 0.00012 false
CVE-2025-4674 Anchore CVE High stdlib-go1.24.2 0.00006 false
PRISMA-2022-0227 Twistlock CVE High github.com/emicklei/go-restful/v3-v3.8.0 N/A N/A
GHSA-wjrx-6529-hcj3 Anchore CVE High github.com/hashicorp/go-getter-v1.7.8 N/A N/A
GHSA-jc7w-c686-c4v9 Anchore CVE Medium github.com/ulikunitz/xz-v0.5.10 N/A N/A
GHSA-2x5j-vhc8-9cwm Anchore CVE Low github.com/cloudflare/circl-v1.4.0 N/A N/A

More information can be found in the VAT located here: https://vat.dso.mil/vat/image?imageName=hashicorp/terraform&tag=1.12.0&branch=master

Tasks

Contributor:

  • Provide justifications for findings in the VAT (docs)
  • Apply the StatusVerification label to this issue and wait for feedback

Iron Bank:

  • Review findings and justifications

Note: If the above process is rejected for any reason, the Verification label will be removed and the issue will be sent back to Open. Any comments will be listed in this issue for you to address. Once they have been addressed, you must re-add the Verification label.

Questions?

Contact the Iron Bank team by commenting on this issue with your questions or concerns. If you do not receive a response, add /cc @ironbank-notifications/onboarding.

Additionally, Iron Bank hosts an AMA working session every Wednesday from 1630-1730EST to answer questions.

Edited by CHORE_TOKEN
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information

UNCLASSIFIED - NO CUI