Skip to content

x/vulndb: potential Go vuln in github.com/facebookincubator/tacquito: GHSA-p5wf-cmr4-xrwr #3207

New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Closed
GoVulnBot opened this issue Oct 18, 2024 · 1 comment
Assignees
Labels

Comments

@GoVulnBot
Copy link

Advisory GHSA-p5wf-cmr4-xrwr references a vulnerability in the following Go modules:

Module
github.com/facebookincubator/tacquito

Description:

Impact

The CVE is for a software vulnerability. Network admins who have deployed tacquito (or versions of tacquito) in their production environments and use tacquito to perform command authorization for network devices should be impacted.

Tacquito code prior to commit 07b49d1358e6ec0b5aa482fcd284f509191119e2 was performing regex matches on authorized commands and arguments in a more permissive than intended manner. Configured allowed commands/arguments were intended to require a match on the entire string, but instead only enforced a match on a sub-string. This behaviour could potentially...

References:

No existing reports found with this module or alias.
See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/facebookincubator/tacquito
      versions:
        - fixed: 0.0.0-20241011192817-07b49d1358e6
summary: Permissive Regular Expression in tacquito in github.com/facebookincubator/tacquito
ghsas:
    - GHSA-p5wf-cmr4-xrwr
references:
    - advisory: https://github.com/advisories/GHSA-p5wf-cmr4-xrwr
    - advisory: https://github.com/facebookincubator/tacquito/security/advisories/GHSA-p5wf-cmr4-xrwr
    - fix: https://github.com/facebookincubator/tacquito/commit/07b49d1358e6ec0b5aa482fcd284f509191119e2
notes:
    - fix: 'github.com/facebookincubator/tacquito: could not add vulnerable_at: cannot auto-guess when fixed version is 0.0.0 pseudo-version'
source:
    id: GHSA-p5wf-cmr4-xrwr
    created: 2024-10-18T19:01:21.632272775Z
review_status: UNREVIEWED

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/622835 mentions this issue: data/reports: add 16 unreviewed reports

@tatianab tatianab self-assigned this Oct 28, 2024
# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
Projects
None yet
Development

No branches or pull requests

3 participants