GHSA-j443-wcqq-xprh

Suggest an improvement
Source
https://github.com/advisories/GHSA-j443-wcqq-xprh
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-j443-wcqq-xprh/GHSA-j443-wcqq-xprh.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-j443-wcqq-xprh
Aliases
Published
2026-03-11T00:32:49Z
Modified
2026-03-23T04:56:29.135498709Z
Severity
  • 10.0 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
Summary
Terraform Provider for SendGrid: TLS Session Resumption Bypasses Certificate Authority Trust Store Modifications in Go
Details

Summary

A critical vulnerability has been identified at https://security.snyk.io/package/linux/chainguard:latest/terraform-provider-sendgrid, associated with the underlying Go version.

If the server's TLS configuration is mutated between connections — for example, a CA is removed from the trusted list via Config.Clone() combined with modification or GetConfigForClient — the resumed handshake still succeeds using the cached session. The certificate is not re-checked against the updated CA list.

As a result, a client whose CA was revoked or removed between the first and second connection could still establish a connection on the resumed session.

Details

If the server's TLS configuration is mutated between connections — for example, a CA is removed from the trusted list via Config.Clone() combined with modification or GetConfigForClient — the resumed handshake still succeeds using the cached session. The certificate is not re-checked against the updated CA list.

Consequently, a client whose CA was revoked or removed between the first and second connection could still establish a connection on the resumed session.

Database specific 
{
    "nvd_published_at": null,
    "severity": "CRITICAL",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-295"
    ],
    "github_reviewed_at": "2026-03-11T00:32:49Z"
}
References

Affected packages

Go / github.com/arslanbekov/terraform-provider-sendgrid

Package

Name
github.com/arslanbekov/terraform-provider-sendgrid
View open source insights on deps.dev
Purl
pkg:golang/github.com/arslanbekov/terraform-provider-sendgrid

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
1.1.3-0.20250606002314-b4a2dfeb7b0f

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-j443-wcqq-xprh/GHSA-j443-wcqq-xprh.json"