Improper Privilege Management Affecting github.com/gravitational/teleport/tool/tctl/common package, versions <13.4.26 >=14.0.0 <14.3.20 >=15.0.0 <15.3.6
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-GOLANG-GITHUBCOMGRAVITATIONALTELEPORTTOOLTCTLCOMMON-7086066
- published 24 May 2024
- disclosed 24 May 2024
- credit Unknown
How to fix?
Upgrade github.com/gravitational/teleport/tool/tctl/common to version 13.4.26, 14.3.20, 15.3.6 or higher.
Overview
github.com/gravitational/teleport/tool/tctl/common is a https://pkg.go.dev/github.com/gravitational/teleport/tool/tctl/common
Affected versions of this package are vulnerable to Improper Privilege Management via the PagerDuty integration when creating a role access request, due to including annotations from the entire user’s role set rather than a specific role being requested. For users who run multiple PagerDuty access plugins with auto-approval, this could result in a request for a different role being inadvertently auto-approved than the one which corresponds to the user’s active on-call schedule.