Overly Permissive Entitlements in Tabby Terminal Emulator
CVE-2024-55950

8.6HIGH

Key Information:

Vendor: Eugeny
Status: Tabby
Vendor: CVE Published:; 26 December 2024

What is CVE-2024-55950?

CVE-2024-55950 is a security vulnerability identified in the Tabby Terminal Emulator developed by Eugeny. This software, which serves as a highly customizable terminal emulator, has a critical flaw prior to version 1.0.216 that involves overly permissive entitlements. Such permissions give the application unnecessary access to sensitive system resources, including the camera and microphone, and can interact with personal files without justification. This vulnerability can significantly harm an organization by exposing it to risks associated with unauthorized access and potential exploitation of sensitive information.

Technical Details

The vulnerability arises from the presence of excessive entitlements within the Tabby application, which allow it to perform actions that go beyond its core functionality. Specific entitlements such as com.apple.security.cs.allow-dyld-environment-variables and com.apple.security.cs.disable-library-validation contribute to this issue, as they permit code injection vulnerabilities. Given that Tabby integrates NodeJS-based plugins and themes—without reliance on native libraries—these excessive permissions create an avenue for threat actors to manipulate and execute arbitrary code within the application environment.

Potential Impact of CVE-2024-55950

Unauthorized Access to Sensitive Data: The overreach of permissions allows the application to access personal folders, potentially exposing sensitive information and leading to data breaches.
Code Injection Vulnerabilities: The ability to perform code injection, due to the poorly restricted entitlements, can enable attackers to run malicious code within the terminal emulator, compromising the integrity of the system.
Increased Attack Surface: With capabilities that include microphone and camera access, this vulnerability broadens the attack surface for malicious actors, potentially leading to surveillance and other privacy violations.

Affected Version(s)

tabby < 1.0.216

References

https://github.com/Eugeny/tabby/security/advisories/GHSA-...

x_refsource_CONFIRM

https://github.com/Eugeny/tabby/commit/e1e6e1cdab0310a881...

x_refsource_MISC

CVSS V4

Score:

8.6

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 26, 2024
Vulnerability Reserved
Dec 13, 2024