-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability stems from two key issues: 1) The ConfigureCommand function in reexec.go previously incorporated untrusted cmdmsg.Environment variables into a root execution context, creating an injection vector. 2) The environment filtering in SafeEnv only blocked specific LD_/DYLD_ variables rather than all prefixes, allowing exploitation via other similarly named variables. The commit fixes these by removing the cmdmsg.Environment inclusion and switching to prefix-based filtering, with tests verifying the isolation.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| github.com/gravitational/teleport | go | >= 14.0.0, < 14.2.4 | 14.2.4 |
| github.com/gravitational/teleport | go | >= 13.0.0, < 13.4.13 | 13.4.13 |
| github.com/gravitational/teleport | go | < 12.4.31 | 12.4.31 |