This release of Teleport contains a security fix and a bug fix.
- Mitigated CVE-2020-29509 by updating
github.com/russellhaering/gosaml2. - Fixed an issue where
tsh loginwould fail with anAccessDeniederror if the user was perviously logged into a leaf cluster. #5105
Details
A vulnerability was discovered in the github.com/russellhaering/gosaml2 library which is used by Teleport for SSO authentication via the SAML protocol.
With a carefully crafted SAML response, an attacker could inject malicious content, bypassing signature validation, permitting full authentication bypass.
Actions
All Enterprise SSO users using Okta, Active Directory, OneLogin or custom SAML connectors should upgrade their auth servers to the latest release of Teleport.
If you are unable to upgrade immediately, we suggest disabling SAML connectors for all clusters until the updates can be applied.
Download
Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.