CVE-2023-45239

Name of the Vulnerable Software and Affected Versions tac plus versions prior to commit 4fdf178

Description A lack of input validation exists in tac plus, which, when pre or post auth commands are enabled, allows an attacker who can control the username, rem-addr, or NAC address sent to tac plus to inject shell commands and gain remote code execution on the tac plus server.

Recommendations For versions prior to commit 4fdf178, consider disabling pre or post auth commands until a patch is available. Restrict access to the tac plus server to minimize the risk of exploitation. Avoid using the username, rem-addr, or NAC address parameters in the affected tac plus configuration until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.