CVE-2019-11881 — Rancher Rancher vulnerability

5 documents4 sources

Severity

4.7MEDIUMNVD

EPSS

5.4%

top 9.80%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Rancher Rancher Suse Rancher

Timeline

PublishedJun 10

Latest updateJun 5

Description

A vulnerability exists in Rancher before 2.2.4 in the login component, where the errorMsg parameter can be tampered to display arbitrary content, filtering tags but not special characters or symbols. There's no other limitation of the message, allowing malicious users to lure legitimate users to visit phishing sites with scare tactics, e.g., displaying a "This version of Rancher is outdated, please visit https://malicious.rancher.site/upgrading" message.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

▶Gogithub.com/rancher_rancher2.1.4

▶NVDsuse/rancher2.1.4

🔴Vulnerability Details

OSV

Rancher Login Parameter Can Be Edited in github.com/rancher/rancher↗2024-06-05

▶

OSV

Rancher Login Parameter Can Be Edited↗2022-05-24

▶

GHSA

Rancher Login Parameter Can Be Edited↗2022-05-24

▶

CVEList

CVE-2019-11881: A vulnerability exists in Rancher before 2↗2019-06-10

▶