Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS1wNXdmLWNtcjQteHJ3cs4ABAbh

Permissive Regular Expression in tacquito

Impact

The CVE is for a software vulnerability. Network admins who have deployed tacquito (or versions of tacquito) in their production environments and use tacquito to perform command authorization for network devices should be impacted.

Tacquito code prior to commit 07b49d1358e6ec0b5aa482fcd284f509191119e2 was performing regex matches on authorized commands and arguments in a more permissive than intended manner. Configured allowed commands/arguments were intended to require a match on the entire string, but instead only enforced a match on a sub-string. This behaviour could potentially allowed unauthorized commands to be executed.

Patches

The problem has been patched, and users should update to the latest github repo commit to get the patch.

Workarounds

Users should be able to add boundary conditions anchors '^' and '$' to their command configs to remediate the vulnerability without the upgrade

Permalink: https://github.com/advisories/GHSA-p5wf-cmr4-xrwr
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1wNXdmLWNtcjQteHJ3cs4ABAbh
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 1 month ago
Updated: 19 days ago

CVSS Score: 7.6
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:H

Identifiers: GHSA-p5wf-cmr4-xrwr
References:

• https://github.com/facebookincubator/tacquito/security/advisories/GHSA-p5wf-cmr4-xrwr
• https://github.com/facebookincubator/tacquito/commit/07b49d1358e6ec0b5aa482fcd284f509191119e2
• https://nvd.nist.gov/vuln/detail/CVE-2024-49400
• https://www.facebook.com/security/advisories/cve-2024-49400
• https://github.com/advisories/GHSA-p5wf-cmr4-xrwr

Repository: https://github.com/facebookincubator/tacquito
Blast Radius: 1.0

Affected Packages