CVE-2024-49400

Name of the Vulnerable Software and Affected Versions Tacquito versions prior to commit 07b49d1358e6ec0b5aa482fcd284f509191119e2

Description The issue concerns the improper performance of regex matches on authorized commands and arguments. Configured allowed commands/arguments were intended to require a match on the entire string, but instead only enforced a match on a sub-string. This behavior could have potentially allowed unauthorized commands to be executed. Network administrators who have deployed Tacquito in their production environments and use it to perform command authorization for network devices are impacted.

Recommendations For versions prior to commit 07b49d1358e6ec0b5aa482fcd284f509191119e2, update to the latest GitHub repository commit to get the patch. As a temporary workaround, users can add boundary conditions anchors '^' and '$' to their command configurations to remediate the vulnerability without the upgrade.