Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
10.0
Terraform Provider for SendGrid: Man-in-the-Middle Attacks Possible
GHSA-j443-wcqq-xprh
Summary
A vulnerability in the Terraform Provider for SendGrid allows a malicious server to intercept sensitive data. This can happen when the server's security settings are changed between connections. To fix this, update to the latest version of the Terraform Provider for SendGrid.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| github.com | arslanbekov | <= 1.1.3-0.20250606002314-b4a2dfeb7b0f | – |
Original title
Terraform Provider for SendGrid: TLS Session Resumption Bypasses Certificate Authority Trust Store Modifications in Go
Original description
### Summary
A critical vulnerability has been identified at https://security.snyk.io/package/linux/chainguard:latest/terraform-provider-sendgrid, associated with the underlying Go version.
If the server's TLS configuration is mutated between connections — for example, a CA is removed from the trusted list via `Config.Clone()` combined with modification or `GetConfigForClient` — the resumed handshake still succeeds using the cached session. The certificate is not re-checked against the updated CA list.
As a result, a client whose CA was revoked or removed between the first and second connection could still establish a connection on the resumed session.
### Details
If the server's TLS configuration is mutated between connections — for example, a CA is removed from the trusted list via `Config.Clone()` combined with modification or `GetConfigForClient` — the resumed handshake still succeeds using the cached session. The certificate is not re-checked against the updated CA list.
Consequently, a client whose CA was revoked or removed between the first and second connection could still establish a connection on the resumed session.
A critical vulnerability has been identified at https://security.snyk.io/package/linux/chainguard:latest/terraform-provider-sendgrid, associated with the underlying Go version.
If the server's TLS configuration is mutated between connections — for example, a CA is removed from the trusted list via `Config.Clone()` combined with modification or `GetConfigForClient` — the resumed handshake still succeeds using the cached session. The certificate is not re-checked against the updated CA list.
As a result, a client whose CA was revoked or removed between the first and second connection could still establish a connection on the resumed session.
### Details
If the server's TLS configuration is mutated between connections — for example, a CA is removed from the trusted list via `Config.Clone()` combined with modification or `GetConfigForClient` — the resumed handshake still succeeds using the cached session. The certificate is not re-checked against the updated CA list.
Consequently, a client whose CA was revoked or removed between the first and second connection could still establish a connection on the resumed session.
ghsa CVSS3.1
10.0
Vulnerability type
CWE-295
Improper Certificate Validation
Published: 11 Mar 2026 · Updated: 13 Mar 2026 · First seen: 11 Mar 2026