Cyber Resilience

CVE-2022-36633

HighPublic PoCRCE

Published: 24 August 2022

Published
24 August 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.3029 96.8th percentile
Risk Priority 36 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-36633 is a high-severity OS Command Injection (CWE-78) vulnerability in Goteleport Teleport. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 3.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

Teleport 9.3.6 contains a command-injection vulnerability, tracked as CVE-2022-36633 and assigned CWE-78, that permits remote code execution. The flaw resides in the handling of SSH agent installation links; an attacker can supply a URL-encoded bash escape sequence containing carriage-return line-feed characters in place of a legitimate token.

An unauthenticated attacker can deliver the crafted link through a social-engineering message that leverages the trusted Teleport server as the delivery channel. Successful exploitation grants the attacker the ability to execute arbitrary commands on the victim system with the privileges of the Teleport process, corresponding to the CVSS 8.8 rating that reflects network attack vector, low complexity, and high impact on confidentiality, integrity, and availability.

Public references consist primarily of exploit artifacts published on Packet Storm and the upstream Teleport GitHub repository; no explicit patch or mitigation guidance is supplied in the available references. The associated EPSS score has reached a peak of 0.3162 with a current value of 0.3029.

EU & UK References

Vulnerability details

Teleport 9.3.6 is vulnerable to Command injection leading to Remote Code Execution. An attacker can craft a malicious ssh agent installation link by URL encoding a bash escape with carriage return line feed. This url encoded payload can be used…

more

in place of a token and sent to a user in a social engineering attack. This is fully unauthenticated attack utilizing the trusted teleport server to deliver the payload.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

goteleport
teleport
≤ 10.1.2

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References