Skip to content

Access List owners can escalate their privileges

Critical
reedloden published GHSA-76cc-p55w-63g3 Dec 29, 2023

Package

Teleport Proxy

Affected versions

>=14.0.0, <14.2.4
>=13.0.0, <13.4.13

Patched versions

14.2.4
13.4.13

Description

Impact

Access Lists are a new feature introduced in Teleport 14 and currently under preview. An issue was discovered that allows an Access List Owner to assign arbitrary permissions, including permissions to themselves which could result in privilege escalation.

Patches

Fixed in version 14.2.4 and 13.4.13

Severity

Critical

CVE ID

No known CVE

Weaknesses

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. Learn more on MITRE.

Improper Handling of Insufficient Privileges

The product does not handle or incorrectly handles when it has insufficient privileges to perform an operation, leading to resultant weaknesses. Learn more on MITRE.

Credits