You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Added TeleportAccessMonitoringRuleV1 support to the Teleport Kubernetes operator. #64368
Added update scoped token support to tctl and update upsert scoped token rpc to not require status. #64345
Improved performance and reduced resource usage of the database proxy for clusters with large numbers of registered databases. #64311
Added more helpful messages to ssm.run events when there's a failure in discovering EC2 instances. #64273
Fixed a bug that could cause desktop connection errors during proxy upgrades for some cluster configurations. #64258
Fixed an issue where the UI would display a white screen and no error when an error occurred. #64246
Improve the layout of the web UI's message of the day. #64213
Fixed an issue where VNet on Windows could fail to start after an update with the error: The specified service does not exist as an installed service.. #64206
Fixed a bug where audit events could be created forever for an expired access request. #64180
Add scoped tokens to tctl resource commands. #64040
Fixed correct reporting of server discovery enrollment failures when the Proxy is not accessible from the target server. #64007
Fixed an issue that caused Discovery Service to stop working for Discovery Configs, also affecting AWS OIDC resource enrollments created from the UI. #63970
Added support for session summarizer resources to the Kubernetes operator. #63884
Enterprise:
Fixed an error log and a memory leak when manually deleting an okta_assignment resource.
Fixed a potential panic in Auth service when getting a non-existing plugin without list permissions.
Prevented membership modifications for Access Lists synchronized from Entra ID.
The OpenTelemetry Go SDK in version v1.20.0-1.39.0 is vulnerable to Path Hijacking (Untrusted Search Paths) on macOS/Darwin systems. The resource detection code in sdk/resource/host_id.go executes the ioreg system command using a search path. An attacker with the ability to locally modify the PATH environment variable can achieve Arbitrary Code Execution (ACE) within the context of the application.
Patches
This has been patched in d45961b, which was released with v1.40.0.
Docker CLI for Windows searches for plugin binaries in C:\ProgramData\Docker\cli-plugins, a directory that does not exist by default. A low-privileged attacker can create this directory and place malicious CLI plugin binaries (docker-compose.exe, docker-buildx.exe, etc.) that are executed when a victim user opens Docker Desktop or invokes Docker CLI plugin features, and allow privilege-escalation if the docker CLI is executed as a privileged user.
This issue affects Docker CLI through v29.1.5 (fixed in v29.2.0). It impacts Windows binaries acting as a CLI plugin manager via the github.com/docker/cli/cli-plugins/manager package, which is consumed by downstream projects such as Docker Compose.
Docker Compose became affected starting in v2.31.0, when it incorporated the relevant CLI plugin manager code (see docker/compose#12300), and is fixed in v5.1.0.
This issue does not impact non-Windows binaries or projects that do not use the plugin manager code.
Patches
Fixed version starts with 29.2.0
This issue was fixed in docker/cli@1375933 (docker/cli#6713), which removed %PROGRAMDATA%\Docker\cli-plugins from the list of paths used for plugin-discovery on Windows.
Function api.ParseJSONRequest currently splits (via a call to strings.Split) an optionally-provided OID (which is untrusted data) on periods. Similarly, function api.getContentType splits the Content-Type header (which is also untrusted data) on an application string.
As a result, in the face of a malicious request with either an excessively long OID in the payload containing many period characters or a malformed Content-Type header, a call to api.ParseJSONRequest or api.getContentType incurs allocations of O(n) bytes (where n stands for the length of the function's argument). Relevant weakness: CWE-405: Asymmetric Resource Consumption (Amplification)
Patches
Upgrade to v2.0.3.
Workarounds
There are no workarounds with the service itself. If the service is behind a load balancer, configure the load balancer to reject excessively large requests.
Security Disclosure: Improper validation of configured threshold for delegations
Summary
A compromised or misconfigured TUF repository can have the configured value of signature thresholds set to 0, which effectively disables signature verification.
Impact
Unathorized modification to TUF metadata files is possible at rest, or during transit as no integrity checks are made.
Patches
Upgrade to v2.3.1
Workarounds
Always make sure that the TUF metadata roles are configured with a threshold of at least 1.
Affected code:
The metadata.VerifyDelegate did not verify the configured threshold prior to comparison. This means that a misconfigured TUF repository could disable the signature verification by setting the threshold to 0, or a negative value (and so always make the signature threshold computation to pass).
Reachable Assertion
Affected range
<2.3.1
Fixed version
2.3.1
CVSS Score
5.9
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Description
Security Disclosure: Client DoS via malformed server response
Summary
If the TUF repository (or any of its mirrors) returns invalid TUF metadata JSON (valid JSON but not well formed TUF metadata), the client will panic during parsing, causing a DoS. The panic happens before any signature is validated. This means that a compromised repository/mirror/cache can DoS clients without having access to any signing key.
Impact
Client crashes upon receiving and parsing malformed TUF metadata. This can cause long running services to enter an restart/crash loop.
Workarounds
None currently.
Affected code
The metadata.checkType function did not properly type assert the (untrusted) input causing it to panic on malformed data.
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Affected range
<2.4.1
Fixed version
2.4.1
CVSS Score
4.7
CVSS Vector
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N
Description
Security Vulnerability: Path Traversal in TAP 4 Multirepo Client
Summary
go-tuf's TAP 4 Multirepo Client uses the map file repository name string (repoName) as a filesystem path component when selecting the local metadata cache directory. If an application accepts a map file from an untrusted source, an attacker can supply a repoName containing traversal (e.g., ../escaped-repo) and cause go-tuf to create directories and write the root metadata file outside the intended LocalMetadataDir cache base, within the running process's filesystem permissions.
Affected Component
Field
Value
File
metadata/multirepo/multirepo.go
Function
(*MultiRepoClient) initTUFClients() error
Callsite
metadataDir := filepath.Join(client.Config.LocalMetadataDir, repoName) (around line 129 at the pinned commit)
Impact
When the TAP 4 map file content is attacker-controlled, this enables arbitrary file write relative to the process permissions (via metadata persistence during client initialization). This can be used to overwrite files writable by the process (for example, configuration files in writable directories) and may enable further compromise depending on the deployment environment.
Note: Exploitability is deployment-dependent. If the map file is always local and trusted (not attacker-controlled), this reduces to a misconfiguration risk rather than a remotely triggerable issue.
Attacker Model
Attacker can cause the application to load a TAP 4 map file whose repositories keys are attacker-controlled (for example: fetched from a URL, supply-chain substituted, or otherwise attacker-influenced input).
Local caching is enabled (DisableLocalCache=false) and the configured LocalMetadataDir is writable by the running process.
Claim Ceiling: HIGH when the map file is attacker-controlled; if the map file is always local and trusted, this is closer to a configuration footgun and likely lands as MEDIUM/LOW.
control.log (contains [CALLSITE_HIT], [NC_MARKER], does not contain [PROOF_MARKER])
fix.patch (minimal validation sketch)
Expected: Multirepo repository names are treated as identifiers; a TAP 4 map file containing traversal or absolute paths is rejected (or safely normalized so that all writes stay under LocalMetadataDir).
Actual: A traversal repoName escapes LocalMetadataDir and go-tuf persists root.json under the escaped path during initialization.
Run Local Repro
rm -rf _poc
mkdir -p _poc
unzip -q -o poc.zip -d _poc
cd _poc/poc
make canonical
make control
Workarounds
Treat TAP 4 map files as trusted configuration only (do not fetch from untrusted sources).
Validate repo names before passing the map file to go-tuf (reject absolute paths, path separators, and traversal components like . / ..).
If acceptable for the application, disable local caching to avoid writing metadata to disk (DisableLocalCache=true).
Suggested Remediation
Validate multirepo repository names as identifiers (not paths) before using them in filepath.Join. Reject:
Absolute paths
Path separators (/ and \)
Traversal components (. and ..)
If it is important to accept a wider set of repo names, a safer alternative is to map repo names to a stable, validated directory name (for example via encoding or hashing) and to ensure all writes stay under the cache base directory.
Triage Questions
Is the TAP 4 map file expected to ever be fetched from untrusted sources in supported deployments?
Should invalid repo names be treated as a hard error (reject initialization), or as a soft error (skip that repository entry)?
/api/v1/index/retrieve supports retrieving a public key via a user-provided URL, allowing attackers to trigger SSRF to arbitrary internal services.
Since the SSRF only can trigger GET requests, the request cannot mutate state. The response from the GET request is not returned to the caller so data exfiltration is not possible. A malicious actor could attempt to probe an internal network through Blind SSRF.
Impact
SSRF to cloud metadata (169.254.169.254)
SSRF to internal Kubernetes APIs
SSRF to any service accessible from Fulcio's network
Patches
Upgrade to v1.5.0. Note that this is a breaking change to the search API and fully disables lookups by URL. If you require this feature, please reach out and we can discuss alternatives.
Workarounds
Disable the search endpoint with --enable_retrieve_api=false.
NULL Pointer Dereference
Affected range
<=1.4.3
Fixed version
1.5.0
CVSS Score
5.3
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Description
Summary
Rekor’s cose v0.0.1 entry implementation can panic on attacker-controlled input when canonicalizing a proposed entry with an empty spec.message. validate() returns nil (success) when message is empty, leaving sign1Msg uninitialized, and Canonicalize() later dereferences v.sign1Msg.Payload.
Impact
A malformed proposed entry of the cose/v0.0.1 type can cause a panic on a thread within the Rekor process. The thread is recovered so the client receives a 500 error message and service still continues, so the availability impact of this is minimal.
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Affected range
<=1.10.3
Fixed version
1.10.4
CVSS Score
5.8
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:N
Description
Summary
The legacy TUF client pkg/tuf/client.go, which supports caching target files to disk, constructs a filesystem path by joining a cache base directory with a target name sourced from signed target metadata, but it does not validate that the resulting path stays within the cache base directory.
Note that this should only affect clients that are directly using the TUF client in sigstore/sigstore or are using an older version of Cosign. As this TUF client implementation is deprecated, users should migrate to https://github.com/sigstore/sigstore-go/tree/main/pkg/tuf as soon as possible.
Note that this does not affect users of the public Sigstore deployment, where TUF metadata is validated by a quorum of trusted collaborators.
Impact
A malicious TUF repository can trigger arbitrary file overwriting, limited to the permissions that the calling process has.
Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh".
A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escaping URLs in actions in the meta content attribute which follow "url=" by setting htmlmetacontenturlescape=0.
Affected range
<1.25.8
Fixed version
1.25.8
Description
On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened.
The impact of this escape is limited to reading metadata provided by lstat from arbitrary locations on the filesystem without permitting reading or writing files outside the root.
Affected range
<1.26.1
Fixed version
1.26.1
Description
Certificate verification can panic when a certificate in the chain has an empty DNS name and another certificate in the chain has excluded name constraints. This can crash programs that are either directly verifying X.509 certificate chains, or those that use TLS.
Affected range
<1.26.1
Fixed version
1.26.1
Description
When verifying a certificate chain which contains a certificate containing multiple email address constraints which share common local portions but different domain portions, these constraints will not be properly applied, and only the last constraint will be considered.
Affected range
<1.25.8
Fixed version
1.25.8
Description
url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
nicholasdille-bot
left a comment
This PR contains the following updates:
18.7.1→18.7.2Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
Release Notes
gravitational/teleport (gravitational/teleport)
v18.7.2: Teleport 18.7.2Compare Source
Description
TeleportAccessMonitoringRuleV1support to the Teleport Kubernetes operator. #64368ssm.runevents when there's a failure in discovering EC2 instances. #64273The specified service does not exist as an installed service.. #64206Enterprise:
Download
Download the current and previous releases of Teleport at https://goteleport.com/download.
Plugins
Download the current release of Teleport plugins from the links below.
Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Renovate Bot.