RCE via shell injection in tac_plus pre/post auth commands
CVE-2023-45239 Published on October 6, 2023
A lack of input validation exists in tac_plus prior to commit 4fdf178 which, when pre or post auth commands are enabled, allows an attacker who can control the username, rem-addr, or NAC address sent to tac_plus to inject shell commands and gain remote code execution on the tac_plus server.
Weakness Type
Improper Filtering of Special Elements
The software receives data from an upstream component, but does not filter or incorrectly filters special elements before sending it to a downstream component.
Products Associated with CVE-2023-45239
stack.watch emails you whenever new vulnerabilities are published in Facebook Tac Plus or Fedora Project Fedora. Just hit a watch button to start following.
Affected Versions
Meta tac_plus:- Before 4fdf178 is affected.
- Before 4fdf178 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.