PT-2024-37076 · Tapir · Tapir

·

CVE-2024-56802

·

Published

2024-12-31

·

Updated

2025-01-01

CVSS v4.0

8.7

High

VectorAV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions: Tapir versions 0.9.0 through 0.9.1
Description: Tapir is a private Terraform registry. The issue concerns scope-able Deploykeys, where attackers can guess the key to gain write access to the registry.
Recommendations: For versions 0.9.0 and 0.9.1, upgrade to version 0.9.2 to resolve the issue. As a temporary workaround, consider restricting access to the Deploykeys until the upgrade is applied.

Exploit

Fix

Improper Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2024-56802
GHSA-RJ9M-QF65-F5GG

Affected Products

Tapir