This release of Teleport contains a security fix.
- Mitigated CVE-2020-29509 by updating
github.com/russellhaering/gosaml2.
Details
A vulnerability was discovered in the github.com/russellhaering/gosaml2 library which is used by Teleport for SSO authentication via the SAML protocol.
With a carefully crafted SAML response, an attacker could inject malicious content, bypassing signature validation, permitting full authentication bypass.
Actions
All Enterprise SSO users using Okta, Active Directory, OneLogin or custom SAML connectors should upgrade their auth servers to the latest release of Teleport.
If you are unable to upgrade immediately, we suggest disabling SAML connectors for all clusters until the updates can be applied.
Download
Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.