x/vulndb: potential Go vuln in github.com/facebookincubator/tacquito: GHSA-p5wf-cmr4-xrwr

Advisory GHSA-p5wf-cmr4-xrwr references a vulnerability in the following Go modules:

Module
github.com/facebookincubator/tacquito

Description:

Impact

The CVE is for a software vulnerability. Network admins who have deployed tacquito (or versions of tacquito) in their production environments and use tacquito to perform command authorization for network devices should be impacted.

Tacquito code prior to commit 07b49d1358e6ec0b5aa482fcd284f509191119e2 was performing regex matches on authorized commands and arguments in a more permissive than intended manner. Configured allowed commands/arguments were intended to require a match on the entire string, but instead only enforced a match on a sub-string. This behaviour could potentially...

References:

No existing reports found with this module or alias. See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/facebookincubator/tacquito
      versions:
        - fixed: 0.0.0-20241011192817-07b49d1358e6
summary: Permissive Regular Expression in tacquito in github.com/facebookincubator/tacquito
ghsas:
    - GHSA-p5wf-cmr4-xrwr
references:
    - advisory: https://github.com/advisories/GHSA-p5wf-cmr4-xrwr
    - advisory: https://github.com/facebookincubator/tacquito/security/advisories/GHSA-p5wf-cmr4-xrwr
    - fix: https://github.com/facebookincubator/tacquito/commit/07b49d1358e6ec0b5aa482fcd284f509191119e2
notes:
    - fix: 'github.com/facebookincubator/tacquito: could not add vulnerable_at: cannot auto-guess when fixed version is 0.0.0 pseudo-version'
source:
    id: GHSA-p5wf-cmr4-xrwr
    created: 2024-10-18T19:01:21.632272775Z
review_status: UNREVIEWED

golang / vulndb

x/vulndb: potential Go vuln in github.com/facebookincubator/tacquito: GHSA-p5wf-cmr4-xrwr #3207

Impact