PT-2024-37076 · Tapir · Tapir
Loispostula
·
Published
2024-12-31
·
Updated
2025-01-01
·
CVE-2024-56802
CVSS v4.0
8.7
High
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions:
Tapir versions 0.9.0 through 0.9.1
Description:
Tapir is a private Terraform registry. The issue concerns scope-able Deploykeys, where attackers can guess the key to gain write access to the registry.
Recommendations:
For versions 0.9.0 and 0.9.1, upgrade to version 0.9.2 to resolve the issue. As a temporary workaround, consider restricting access to the Deploykeys until the upgrade is applied.
Exploit
Fix
Improper Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Tapir