Skip to content

Withdrawn Advisory: Teleport Access List owners can escalate their privileges

Critical severity GitHub Reviewed Published Dec 29, 2023 in gravitational/teleport • Updated Jul 8, 2024
Withdrawn This advisory was withdrawn on Jan 23, 2024

Package

gomod github.com/gravitational/teleport (Go)

Affected versions

>= 14.0.0, < 14.2.4
>= 13.0.0, < 13.4.13

Patched versions

14.2.4
13.4.13

Description

Withdrawn Advisory

This advisory has been withdrawn because the vulnerability affects a binary, not a library in a supported ecosystem. Therefore, users of the library should not receive alerts. This link is maintained to preserve external references.

Original Description

Impact

Access Lists are a new feature introduced in Teleport 14 and currently under preview. An issue was discovered that allows an Access List Owner to assign arbitrary permissions, including permissions to themselves which could result in privilege escalation.

Patches

Fixed in version 14.2.4 and 13.4.13

References

@reedloden reedloden published to gravitational/teleport Dec 29, 2023
Published to the GitHub Advisory Database Jan 3, 2024
Reviewed Jan 3, 2024
Withdrawn Jan 23, 2024
Last updated Jul 8, 2024

Severity

Critical

Weaknesses

No CWEs

CVE ID

No known CVE

GHSA ID

GHSA-76cc-p55w-63g3

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.