CVE-2019-11202Improper Authentication in Rancher Rancher

CWE-287Improper Authentication5 documents4 sources
Severity
9.8CRITICALNVD
EPSS
0.4%
top 37.51%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Github.com Rancher RancherSuse Rancher
Timeline
PublishedJul 30
Latest updateJun 10

Description

An issue was discovered that affects the following versions of Rancher: v2.0.0 through v2.0.13, v2.1.0 through v2.1.8, and v2.2.0 through 2.2.1. When Rancher starts for the first time, it creates a default admin user with a well-known password. After initial setup, the Rancher administrator may choose to delete this default admin user. If Rancher is restarted, the default admin user will be recreated with the well-known default password. An attacker could exploit this by logging in with the defa

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

Gogithub.com/rancher_rancher2.0.0+incompatible2.2.2+incompatible+3
NVDsuse/rancher2.0.02.0.13+2

🔴Vulnerability Details

4
OSV
Rancher Recreates Default User With Known Password Despite Deletion in github.com/rancher/rancher2024-06-10
OSV
Rancher Recreates Default User With Known Password Despite Deletion2022-05-24
GHSA
Rancher Recreates Default User With Known Password Despite Deletion2022-05-24
CVEList
CVE-2019-11202: An issue was discovered that affects the following versions of Rancher: v22019-07-30
CVE-2019-11202 — Improper Authentication | cvebase