CVE-2024-56802 HIGH

CVE-2024-56802: Tapir allows DeployKey exposure

Vendor Pacovk

Product tapir

Weakness CWE-285

Published December 31, 2024

Last update December 31, 2024

View on NVD All CVEs

CVSS base score

8.7/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Tapir is a private Terraform registry. Tapir versions 0.9.0 and 0.9.1 are facing a critical issue with scope-able Deploykeys where attackers can guess the key to get write access to the registry. User must upgrade to 0.9.2.

Key dates

02Disclosure timeline

December 31, 2024 CVE published

December 31, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-56802

Related vulnerabilities

04Related CVE

CVE-2022-36848 CVE-2025-62610 Hono Improperly Authorizes JWT Audience Validation CVE-2025-10014 elunez eladmin Email Address updateEmail updateUserEmail improper authorization CVE-2025-4473 Frontend Dashboard 1.5.10 - 2.2.7 - Missing Authorization to Authenticated (Subscriber+) Account Takeover/Privilege Escalation via ajax_request Function CVE-2024-13692 Return Refund and Exchange For WooCommerce <= 4.4.5 - Authenticated (Subscriber+) Insecure Direct Object Reference