x/vulndb: potential Go vuln in github.com/gravitational/teleport: CVE-2022-36633, GHSA-6xf3-5hp7-xqqg #984

tatianab · 2022-09-09T17:05:08Z

In GitHub Security Advisory GHSA-6xf3-5hp7-xqqg, there is a vulnerability in the following Go packages or modules:

Unit	Fixed	Vulnerable Ranges
github.com/gravitational/teleport	10.1.2	>= 10.0.0, < 10.1.2

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: TODO
    versions:
      - introduced: 10.0.0
        fixed: 10.1.2
    packages:
      - package: github.com/gravitational/teleport
  - module: TODO
    versions:
      - introduced: 9.0.0
        fixed: 9.3.13
    packages:
      - package: github.com/gravitational/teleport
  - module: TODO
    versions:
      - fixed: 8.3.17
    packages:
      - package: github.com/gravitational/teleport
description: Teleport 9.3.6 is vulnerable to Command injection leading to Remote Code
    Execution. An attacker can craft a malicious ssh agent installation link by URL
    encoding a bash escape with carriage return line feed. This url encoded payload
    can be used in place of a token and sent to a user in a social engineering attack.
    This is fully unauthenticated attack utilizing the trusted teleport server to
    deliver the payload.
cves:
  - CVE-2022-36633
ghsas:
  - GHSA-6xf3-5hp7-xqqg

The text was updated successfully, but these errors were encountered:

zpavlinovic · 2022-09-15T17:18:27Z

This does not seem to be importable in the classical sense that vulnerability tools can detect as a dependency. All the places where this module is imported seem to fork this repo.

Also, the go.mod file is not following the module naming scheme when it comes to major versions >= 2. For instance:
go get github.com/gravitational/teleport@v10.1.2 go: github.com/gravitational/teleport@v10.1.2: invalid version: module contains a go.mod file, so module path must match major version ("github.com/gravitational/teleport/v10")

or

go get github.com/gravitational/teleport/v10@v10.1.2 go: github.com/gravitational/teleport@v10.1.2: invalid version: module contains a go.mod file, so module path must match major version ("github.com/gravitational/teleport/v10")

gopherbot · 2022-09-15T17:21:42Z

Change https://go.dev/cl/431196 mentions this issue: data/excluded: add GO-2022-0984.yaml for CVE-2022-36633

Fixes #984 Change-Id: Iebe0c3a8765d5a67641cc941fd9b4fe7572f6e72 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/431196 Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Tatiana Bradley <tatiana@golang.org>

gopherbot · 2024-06-14T19:58:44Z

Change https://go.dev/cl/592774 mentions this issue: data/reports: unexclude 50 reports

tatianab added the NeedsTriage label Sep 9, 2022

tatianab assigned zpavlinovic Sep 12, 2022

zpavlinovic added NeedsReport and removed NeedsReport labels Sep 14, 2022

zpavlinovic closed this as completed Sep 15, 2022

zpavlinovic added the excluded: NOT_IMPORTABLE This vulnerability only exists in a binary and is not importable. label Sep 15, 2022

tatianab mentioned this issue Sep 27, 2022

x/vulndb: potential Go vuln in github.com/gravitational/teleport: GHSA-6xf3-5hp7-xqqg #1024

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

x/vulndb: potential Go vuln in github.com/gravitational/teleport: CVE-2022-36633, GHSA-6xf3-5hp7-xqqg #984

x/vulndb: potential Go vuln in github.com/gravitational/teleport: CVE-2022-36633, GHSA-6xf3-5hp7-xqqg #984

tatianab commented Sep 9, 2022

zpavlinovic commented Sep 15, 2022

gopherbot commented Sep 15, 2022

gopherbot commented Jun 14, 2024

x/vulndb: potential Go vuln in github.com/gravitational/teleport: CVE-2022-36633, GHSA-6xf3-5hp7-xqqg #984

x/vulndb: potential Go vuln in github.com/gravitational/teleport: CVE-2022-36633, GHSA-6xf3-5hp7-xqqg #984

Comments

tatianab commented Sep 9, 2022

zpavlinovic commented Sep 15, 2022

gopherbot commented Sep 15, 2022

gopherbot commented Jun 14, 2024