x/vulndb: potential Go vuln in github.com/hashicorp/terraform: GHSA-h626-pv66-hhm7

[GoVulnBot]

In GitHub Security Advisory GHSA-h626-pv66-hhm7, there is a vulnerability in the following Go packages or modules:

Unit	Fixed	Vulnerable Ranges
github.com/hashicorp/terraform	1.5.7	>= 1.0.8, < 1.5.7

Cross references:

• Module github.com/hashicorp/terraform appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/terraform/backend/remote-state/azure: GHSA-h3p9-wrgx-82cm #839 NOT_IMPORTABLE

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/hashicorp/terraform
      versions:
        - introduced: 1.0.8
          fixed: 1.5.7
      vulnerable_at: 1.5.6
      packages:
        - package: github.com/hashicorp/terraform
summary: Terraform allows arbitrary file write during the `init` operation
description: |-
    Terraform version 1.0.8 through 1.5.6 allows arbitrary file write during the
    `init` operation if run on maliciously crafted Terraform configuration. This
    vulnerability is fixed in Terraform 1.5.7.
cves:
    - CVE-2023-4782
ghsas:
    - GHSA-h626-pv66-hhm7
references:
    - web: https://nvd.nist.gov/vuln/detail/CVE-2023-4782
    - web: https://discuss.hashicorp.com/t/hcsec-2023-27-terraform-allows-arbitrary-file-write-during-init-operation/58082
    - fix: https://github.com/hashicorp/terraform/pull/33745
    - fix: https://github.com/hashicorp/terraform/commit/0f2314fb62193c4be94328cc026fcb7ec1e9b893
    - web: https://github.com/hashicorp/terraform/releases/tag/v1.5.7
    - advisory: https://github.com/advisories/GHSA-h626-pv66-hhm7

[gopherbot]

Change https://go.dev/cl/527176 mentions this issue: data/excluded: batch add 14 excluded reports

[gopherbot]

Change https://go.dev/cl/592762 mentions this issue: data/reports: unexclude 75 reports

[gopherbot]

Change https://go.dev/cl/606791 mentions this issue: data/reports: unexclude 20 reports (11)