OpenCVE

Tacquito prior to commit 07b49d1358e6ec0b5aa482fcd284f509191119e2 was not properly performing regex matches on authorized commands and arguments. Configured allowed commands/arguments were intended to require a match on the entire string, but instead only enforced a match on a sub-string. That would have potentially allowed unauthorized commands to be executed.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Facebook	Tacquito

No data.

No data.

References

Link	Providers
https://www.facebook.com/security/advisories/cve-2024-49400

History

Fri, 01 Nov 2024 19:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Facebook Facebook tacquito
CPEs		cpe:2.3:a:facebook:tacquito::::::::
Vendors & Products		Facebook Facebook tacquito
Metrics	ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`	cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 17 Oct 2024 21:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 17 Oct 2024 17:30:00 +0000

Type	Values Removed	Values Added
Description		Tacquito prior to commit 07b49d1358e6ec0b5aa482fcd284f509191119e2 was not properly performing regex matches on authorized commands and arguments. Configured allowed commands/arguments were intended to require a match on the entire string, but instead only enforced a match on a sub-string. That would have potentially allowed unauthorized commands to be executed.
References		https://www.facebook.com/security/advisories/cve-2024-49400

MITRE

Status: PUBLISHED

Assigner: facebook

Published: 2024-10-17T17:15:17.191Z

Updated: 2024-11-01T18:35:40.761Z

Reserved: 2024-10-15T01:05:31.784Z

Link: CVE-2024-49400

Vulnrichment

Updated: 2024-10-17T20:44:09.879Z

NVD

Status : Awaiting Analysis

Published: 2024-10-17T18:15:15.547

Modified: 2024-11-01T19:35:28.673

Link: CVE-2024-49400

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-49400", "assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827", "state": "PUBLISHED", "assignerShortName": "facebook", "dateReserved": "2024-10-15T01:05:31.784Z", "datePublished": "2024-10-17T17:15:17.191Z", "dateUpdated": "2024-11-01T18:35:40.761Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Tacquito", "vendor": "Meta", "versions": [{"lessThan": "07b49d1358e6ec0b5aa482fcd284f509191119e2", "status": "affected", "version": "0", "versionType": "git"}]}], "dateAssigned": "2024-10-14T00:00:00", "descriptions": [{"lang": "en", "value": "Tacquito prior to commit 07b49d1358e6ec0b5aa482fcd284f509191119e2 was not properly performing regex matches on authorized commands and arguments. Configured allowed commands/arguments were intended to require a match on the entire string, but instead only enforced a match on a sub-string. That would have potentially allowed unauthorized commands to be executed."}], "problemTypes": [{"descriptions": [{"description": "Permissive Regular Expression (CWE-625)", "lang": "en"}]}], "providerMetadata": {"orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827", "shortName": "facebook", "dateUpdated": "2024-10-17T17:15:17.191Z"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.facebook.com/security/advisories/cve-2024-49400"}]}, "adp": [{"affected": [{"vendor": "facebook", "product": "tacquito", "cpes": ["cpe:2.3:a:facebook:tacquito:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "07b49d1358e6ec0b5aa482fcd284f509191119e2", "versionType": "git"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-11-01T18:32:45.694918Z", "id": "CVE-2024-49400", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-01T18:35:40.761Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-49400", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-11-01T18:32:45.694918Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:facebook:tacquito:*:*:*:*:*:*:*:*"], "vendor": "facebook", "product": "tacquito", "versions": [{"status": "affected", "version": "0", "lessThan": "07b49d1358e6ec0b5aa482fcd284f509191119e2", "versionType": "git"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-17T20:44:09.879Z"}}], "cna": {"affected": [{"vendor": "Meta", "product": "Tacquito", "versions": [{"status": "affected", "version": "0", "lessThan": "07b49d1358e6ec0b5aa482fcd284f509191119e2", "versionType": "git"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.facebook.com/security/advisories/cve-2024-49400", "tags": ["x_refsource_CONFIRM"]}], "dateAssigned": "2024-10-14T00:00:00", "descriptions": [{"lang": "en", "value": "Tacquito prior to commit 07b49d1358e6ec0b5aa482fcd284f509191119e2 was not properly performing regex matches on authorized commands and arguments. Configured allowed commands/arguments were intended to require a match on the entire string, but instead only enforced a match on a sub-string. That would have potentially allowed unauthorized commands to be executed."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Permissive Regular Expression (CWE-625)"}]}], "providerMetadata": {"orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827", "shortName": "facebook", "dateUpdated": "2024-10-17T17:15:17.191Z"}}}, "cveMetadata": {"cveId": "CVE-2024-49400", "state": "PUBLISHED", "dateUpdated": "2024-11-01T18:35:40.761Z", "dateReserved": "2024-10-15T01:05:31.784Z", "assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827", "datePublished": "2024-10-17T17:15:17.191Z", "assignerShortName": "facebook"}, "dataVersion": "5.1"}