GHSA-p5wf-cmr4-xrwr: 
vulnerability analysis and mitigation

A high severity vulnerability (GHSA-p5wf-cmr4-xrwr) was discovered in tacquito, affecting versions prior to commit 07b49d1358e6ec0b5aa482fcd284f509191119e2. The vulnerability was published on October 18, 2024, and involves a permissive regular expression matching issue in the command authorization system. The vulnerability has been assigned CVE-2024-49400 and received a CVSS v3.1 score of 7.1, indicating high severity (GitHub Advisory).

The vulnerability stems from improper regex matching implementation on authorized commands and arguments. The system was intended to require a match on the entire string for command authorization, but instead only enforced a match on sub-strings. This behavior made the regex matching more permissive than intended. For example, a pattern like 'cat.*' would incorrectly match commands such as 'bash /etc/somefolder/filenamecontainscat.sh', demonstrating the overly permissive nature of the matching (GitHub Commit).

The vulnerability affects network administrators who have deployed tacquito in their production environments and use it to perform command authorization for network devices. The permissive regex matching could potentially allow unauthorized commands to be executed, compromising the security of the command authorization system (GitHub Advisory).

Users can address this vulnerability through two approaches: 1) Update to the latest github repo commit that includes the patch, or 2) Add boundary condition anchors '^' and '$' to their command configs as a temporary workaround without upgrading. The permanent fix has been implemented in commit 07b49d1358e6ec0b5aa482fcd284f509191119e2 (GitHub Advisory).