logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

GHSA-hw4x-mcx5-9q36 github.com/gravitational/teleport

Package

Manager: go
Name: github.com/gravitational/teleport
Vulnerable Version: <0

Severity

Level: Critical

CVSS v3.1: N/A

CVSS v4.0: N/A

EPSS: N/A pctlN/A

Details

Withdrawn Advisory: Teleport Proxy and Teleport Agents: SSRF to arbitrary hosts is possible from low privileged users ## Withdrawn Advisory This advisory has been withdrawn because the vulnerability affects a binary, not a library in a [supported ecosystem](https://github.com/github/advisory-database#supported-ecosystems). Therefore, users of the library should not receive alerts. This link is maintained to preserve external references. ## Original Description ### Impact An authenticated attacker with valid credentials (user or host) can make non-blind Server-Side Request Forgery (SSRF) through the proxy and/or agents to arbitrary hosts. During investigation of this functionality, it was discovered that there are several permutations where this SSRF is possible. This release addresses all but one: a root proxy administrator with access to the root proxy credentials can make requests through leaf proxies in Trusted Clusters. This behavior will be restricted in future releases. For customers using Teleport in a Trusted Cluster configuration, we encourage leaf clusters to have network restrictions in place to mitigate SSRF. For example, we recommend restricting outbound network connections to only the Auth Service, your SSO provider, and any agents, databases or applications needed to be accessed from the proxy. If running in a cloud environment pay careful attention to what cloud resources are accessible from the proxy. ### Patches Fixed in versions 14.2.4, 13.4.13 and 12.4.31. ### Workarounds Strict network controls from the Teleport Proxy and Teleport Agents reduce the potential exposure from this issue. ### References * Fixed in PR: https://github.com/gravitational/teleport/pull/36127 * https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html#network-layer * https://www.cyber.gov.au/resources-business-and-government/maintaining-devices-and-systems/system-hardening-and-administration/network-hardening/implementing-network-segmentation-and-segregation

Metadata

Created: 2024-01-03T21:28:37Z
Modified: 2024-09-06T21:40:28Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/01/GHSA-hw4x-mcx5-9q36/GHSA-hw4x-mcx5-9q36.json
CWE IDs: []
Alternative ID: N/A
Finding: N/A
Auto approve: 0