Skip to content

Rancher Vulnerable to Cross-site Request Forgery (CSRF)

High severity GitHub Reviewed Published May 18, 2021 to the GitHub Advisory Database • Updated Sep 18, 2023

Package

gomod github.com/rancher/rancher (Go)

Affected versions

>= 2.0.0, < 2.0.16
>= 2.1.0, < 2.1.11
>= 2.2.0, < 2.2.5

Patched versions

2.0.16
2.1.11
2.2.5

Description

Rancher 2 through 2.2.4 is vulnerable to a Cross-Site Websocket Hijacking attack that allows an exploiter to gain access to clusters managed by Rancher. The attack requires a victim to be logged into a Rancher server, and then to access a third-party site hosted by the exploiter. Once that is accomplished, the exploiter is able to execute commands against the cluster's Kubernetes API with the permissions and identity of the victim.

References

Published by the National Vulnerability Database Sep 4, 2019
Reviewed May 17, 2021
Published to the GitHub Advisory Database May 18, 2021
Last updated Sep 18, 2023

Severity

High
8.7
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
Required
Scope
Changed
Confidentiality
High
Integrity
None
Availability
High
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:H

Weaknesses

CVE ID

CVE-2019-13209

GHSA ID

GHSA-xhg2-rvm8-w2jh

Source code

Checking history
See something to contribute? Suggest improvements for this vulnerability.