Advisories for Golang/Github.com/Gravitational/Teleport package

Impact An authenticated attacker with valid credentials (user or host) can make non-blind Server-Side Request Forgery (SSRF) through the proxy and/or agents to arbitrary hosts. During investigation of this functionality, it was discovered that there are several permutations where this SSRF is possible. This release addresses all but one: a root proxy administrator with access to the root proxy credentials can make requests through leaf proxies in Trusted Clusters. This …

Impact Access Lists are a new feature introduced in Teleport 14 and currently under preview. An issue was discovered that allows an Access List Owner to assign arbitrary permissions, including permissions to themselves which could result in privilege escalation. Patches Fixed in version 14.2.4 and 13.4.13

Impact An attacker that has access to nodes within the cluster may be able to SFTP to the Proxy Service. The user's permissions on the Proxy server are still respected, so files can only be read or modified on the Proxy if the user has system access to read or write to them. Patches Fixed in versions 14.2.4, 13.4.13 and 12.4.31. Workarounds This issue can be mitigated by ensuring that …

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in github.com/gravitational/teleport.

Teleport 9.3.6 is vulnerable to Command injection leading to Remote Code Execution. An attacker can craft a malicious ssh agent installation link by URL encoding a bash escape with carriage return line feed. This url encoded payload can be used in place of a token and sent to a user in a social engineering attack. This is fully unauthenticated attack utilizing the trusted teleport server to deliver the payload.