GHSA-4vgf-2cm4-mp7c

Suggest an improvement
Source
https://github.com/advisories/GHSA-4vgf-2cm4-mp7c
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-4vgf-2cm4-mp7c/GHSA-4vgf-2cm4-mp7c.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-4vgf-2cm4-mp7c
Aliases
  • CVE-2025-46735
Published
2025-05-06T16:38:44Z
Modified
2025-05-06T19:56:57Z
Severity
  • 1.1 (Low) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:U CVSS Calculator
Summary
Terraform WinDNS Provider improperly sanitizes input variables in `windns_record`
Details

Impact:

A security issue has been found in terraform-provider-windns before version 1.0.5. The windns_record resource did not santize the input variables. This can lead to authenticated command injection in the underlyding powershell command prompt.

Patches:

83ef736 (fix: better input validation)

Fixed versions:

  • v1.0.5
Database specific
{
    "nvd_published_at": "2025-05-06T17:16:12Z",
    "cwe_ids": [
        "CWE-77"
    ],
    "severity": "LOW",
    "github_reviewed": true,
    "github_reviewed_at": "2025-05-06T16:38:44Z"
}
References

Affected packages

Go / github.com/nrkno/terraform-provider-windns

Package

Name
github.com/nrkno/terraform-provider-windns
View open source insights on deps.dev
Purl
pkg:golang/github.com/nrkno/terraform-provider-windns

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
1.0.4