7.6

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-p5wf-cmr4-xrwr

EPSS Score

CWE

CWE-1333

Published

10/18/2024

Updated

11/1/2024

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-p5wf-cmr4-xrwr

GHSA-p5wf-cmr4-xrwr: Permissive Regular Expression in tacquito

Impact

The CVE is for a software vulnerability. Network admins who have deployed tacquito (or versions of tacquito) in their production environments and use tacquito to perform command authorization for network devices should be impacted.

Tacquito code prior to commit 07b49d1358e6ec0b5aa482fcd284f509191119e2 was performing regex matches on authorized commands and arguments in a more permissive than intended manner. Configured allowed commands/arguments were intended to require a match on the entire string, but instead only enforced a match on a sub-string. This behaviour could potentially allowed unauthorized commands to be executed.

Patches

The problem has been patched, and users should update to the latest github repo commit to get the patch.

Workarounds

Users should be able to add boundary conditions anchors '^' and '$' to their command configs to remediate the vulnerability without the upgrade

(GitHub Advisory)

7.6

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-p5wf-cmr4-xrwr

EPSS Score

CWE

CWE-1333

Published

10/18/2024

Updated

11/1/2024

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/facebookincubator/tacquito	go	< 0.0.0-20241011192817-07b49d1358e6	0.0.0-20241011192817-07b49d1358e6

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The core vulnerability stems from 2 key points:

In command.go's evaluate() function, regex patterns were applied without ^/$ anchors via regexp.MatchString, allowing substring matches
CommandArgs() included line endings that could be abused to bypass intended restrictions

The commit patched both issues by:

Adding automatic anchoring in evaluate()
Introducing CommandArgsNoLE() to strip line endings
Adding regex boundary checks Pre-patch versions lacked these safeguards, making these functions vulnerable to regex-based command injection through partial matches.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t T** *V* is *or * so*tw*r* vuln*r**ility. N*twork **mins w*o **v* **ploy** t**quito (or v*rsions o* t**quito) in t**ir pro*u*tion *nvironm*nts *n* us* t**quito to p*r*orm *omm*n* *ut*oriz*tion *or n*twork **vi**s s*oul* ** imp**t**. T**qui

Reasoning

T** *or* vuln*r**ility st*ms *rom * k*y points: *. In *omm*n*.*o's *v*lu*t*() *un*tion, r***x p*tt*rns w*r* *ppli** wit*out ^/$ *n**ors vi* r***xp.M*t**Strin*, *llowin* su*strin* m*t***s *. *omm*n**r*s() in*lu*** lin* *n*in*s t**t *oul* ** **us** to

7.6

Basic Information

Concerned about an active attack path?

GHSA-p5wf-cmr4-xrwr: Permissive Regular Expression in tacquito

Impact

Patches

Workarounds

7.6

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI