Advisories for Golang/Github.com/Gravitational/Teleport package

A full technical disclosure and open-source patch will be published after the embargo period, ending on June 30th, to allow all users to upgrade. Teleport security engineers identified a critical security vulnerability that could allow remote authentication bypass of Teleport. Teleport Cloud Infrastructure and CI/CD build, test, and release infrastructure aren’t affected. For the full mitigation, upgrade both Proxy and Teleport agents. It is strongly recommend updating clients to the …

Agents running on macOS could be susceptible to unexpected code execution through user supplied environment variables.

An authenticated attacker with valid credentials (user or host) can make non-blind Server-Side Request Forgery (SSRF) through the proxy and/or agents to arbitrary hosts. During investigation of this functionality, it was discovered that there are several permutations where this SSRF is possible. This release addresses all but one: a root proxy administrator with access to the root proxy credentials can make requests through leaf proxies in Trusted Clusters. This behavior …

Access Lists are a new feature introduced in Teleport 14 and currently under preview. An issue was discovered that allows an Access List Owner to assign arbitrary permissions, including permissions to themselves which could result in privilege escalation.

An attacker that has access to nodes within the cluster may be able to SFTP to the Proxy Service. The user's permissions on the Proxy server are still respected, so files can only be read or modified on the Proxy if the user has system access to read or write to them.

This advisory duplicates another.

This advisory duplicates another.

This advisory duplicates another.

This advisory duplicates another.

Teleport 9.3.6 is vulnerable to Command injection leading to Remote Code Execution. An attacker can craft a malicious ssh agent installation link by URL encoding a bash escape with carriage return line feed. This url encoded payload can be used in place of a token and sent to a user in a social engineering attack. This is fully unauthenticated attack utilizing the trusted teleport server to deliver the payload.