{"url":"http://public2.vulnerablecode.io/api/packages/112163?format=json","purl":"pkg:golang/github.com/linode/terraform-provider-linode/v3@3.9.0","type":"golang","namespace":"github.com/linode/terraform-provider-linode","name":"v3","version":"3.9.0","qualifiers":{},"subpath":"","is_vulnerable":false,"next_non_vulnerable_version":null,"latest_non_vulnerable_version":null,"affected_by_vulnerabilities":[],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/90659?format=json","vulnerability_id":"VCID-m77e-qm82-5kca","summary":"Terraform Provider  for Linode Debug Logs Vulnerable to Sensitive Information Exposure\n### Impact\nThe Terraform Provider for Linode versions prior to v3.9.0 logged sensitive information including some passwords, StackScript content, object storage data, and NodeBalancer TLS keys in debug logs without redaction.\n\n**Important:** Provider debug logging is **not enabled by default**.  \nThis issue is exposed when debug/provider logs are explicitly enabled (for example in local troubleshooting, CI/CD jobs, or centralized log collection). If enabled, sensitive values may be written to logs and then retained, shared, or exported beyond the original execution environment.\n\nSpecifically:\n- Instance creation operations logged the full InstanceCreateOptions struct containing RootPass and StackScriptData\n- Instance disk creation logged InstanceDiskCreateOptions containing RootPass and StackscriptData\n- StackScript update operations logged the complete script content via StackscriptUpdateOptions.Script\n- Image share group member creation logged tokens in ImageShareGroupAddMemberOptions.Token\n- Object storage operations logged full PutObjectInput structures containing user data\n- NodeBalancer config create and update operations logged NodeBalancerConfigCreateOptions and NodeBalancerConfigUpdateOptions containing the SSLKey (TLS private key)\n\nAn authenticated user with access to provider debug logs (through log aggregation systems, CI/CD pipelines, or debug output) would thus be able to extract these sensitive credentials.\n\n### Patches\nUpdate to version v3.9.0 or later, which sanitizes debug logs by logging only non-sensitive metadata such as labels, regions, and resource IDs while redacting credentials, tokens, keys, scripts, and other sensitive content.\n\n### Workarounds and Mitigations\n- Disable Terraform/provider debug logging or set it to `WARN` level or above\n  - To disable the logging, you can unset `TF_LOG_PROVIDER` and `TF_LOG` environment variables\n  - Or you can set them to `WARN` or `ERROR` levels to avoid sensitive information logged in `INFO` and `DEBUG` levels.\n  - See Terraform docs for details: https://developer.hashicorp.com/terraform/internals/debugging\n- Restrict access to existing and historical logs\n- Purge/retention-trim logs that may contain sensitive values\n- Rotate potentially exposed secrets/credentials, including:\n  - Root passwords\n  - Image share group tokens\n  - TLS private keys/certificates used in NodeBalancer configs\n  - StackScript content/secrets if embedded\n\n### Credits\nThis issue was reported to Terraform by Hasan Sheet via [Akamai's HackerOne Bug Bounty program](https://hackerone.com/akamai).\n\n### Resources\nhttps://github.com/linode/terraform-provider-linode/releases/tag/v3.9.0\nhttps://github.com/linode/terraform-provider-linode/pull/2269\nhttps://github.com/linode/terraform-provider-linode/commit/43a925d826b999f0355de3dc7330c55f496824c0","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27900","reference_id":"","reference_type":"","scores":[{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02726","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02676","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02709","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02773","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02779","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27900"},{"reference_url":"https://github.com/linode/terraform-provider-linode","reference_id":"","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/linode/terraform-provider-linode"},{"reference_url":"https://github.com/linode/terraform-provider-linode/commit/43a925d826b999f0355de3dc7330c55f496824c0","reference_id":"","reference_type":"","scores":[{"value":"5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N"},{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-26T14:35:17Z/"}],"url":"https://github.com/linode/terraform-provider-linode/commit/43a925d826b999f0355de3dc7330c55f496824c0"},{"reference_url":"https://github.com/linode/terraform-provider-linode/pull/2269","reference_id":"","reference_type":"","scores":[{"value":"5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N"},{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-26T14:35:17Z/"}],"url":"https://github.com/linode/terraform-provider-linode/pull/2269"},{"reference_url":"https://github.com/linode/terraform-provider-linode/releases/tag/v3.9.0","reference_id":"","reference_type":"","scores":[{"value":"5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N"},{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-26T14:35:17Z/"}],"url":"https://github.com/linode/terraform-provider-linode/releases/tag/v3.9.0"},{"reference_url":"https://github.com/linode/terraform-provider-linode/security/advisories/GHSA-5rc7-2jj6-mp64","reference_id":"","reference_type":"","scores":[{"value":"5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N"},{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-26T14:35:17Z/"}],"url":"https://github.com/linode/terraform-provider-linode/security/advisories/GHSA-5rc7-2jj6-mp64"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27900","reference_id":"","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27900"},{"reference_url":"http://www.openwall.com/lists/oss-security/2026/02/26/2","reference_id":"","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2026/02/26/2"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/112163?format=json","purl":"pkg:golang/github.com/linode/terraform-provider-linode/v3@3.9.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:golang/github.com/linode/terraform-provider-linode/v3@3.9.0"}],"aliases":["CVE-2026-27900","GHSA-5rc7-2jj6-mp64"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-m77e-qm82-5kca"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:golang/github.com/linode/terraform-provider-linode/v3@3.9.0"}