Description
This release of Teleport contains multiple security fixes, improvements and bug fixes.
[High] Application Access session hijack
When accepting Application Access requests, Teleport did not sufficiently
validate client credentials.
This could allow an attacker in possession of a valid active application session
ID to issue requests to this application impersonating the session owner for a
limited time window.
Presence of multiple “cert.create” audit events (code TC000I) with the same app
session ID in the “route_to_app.session_id” field may indicate the attempt to
impersonate an existing user’s application session.
[Low] Web API session caching
After logging out via the web UI, a user’s session could remain cached in
Teleport’s proxy, allowing continued access to resources for a limited time
window.
Other improvements and fixes
- Fixed LDAP pagination issues in desktop access. #19535
- Fixed issue with SSH sessions inheriting OOM score of parent process. #19523
- Fixed issue with
session.startevent being overwritten bysession.execevent. #19499 - Fixed issue with SNI info not being set by
tsh login --format kubernetescommand. #19434 - Fixed issue with websocket connections to HTTP/2 enabled apps over app access. #19425
- Fixed issue with SAML connector validation calling issuer URL before auth checks. #19319
- Improved
tsh ls -Rlatency. #19484 - Improved handling of corrupted session recordings. #19263
- Improved web UI SSH performance. #19191
- Improved performance of traits to roles mapping. #19182
Download
Download the current and previous releases of Teleport at https://goteleport.com/download.
labels: security-patch=yes