CVE-2019-13209 — Cross-site Scripting in Rancher Rancher

CWE-79 — Cross-site Scripting CWE-352 — Cross-Site Request Forgery5 documents4 sources

Severity

6.1MEDIUMNVD

EPSS

0.2%

top 53.42%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Rancher Rancher Suse Rancher

Timeline

PublishedSep 4

Latest updateMay 18

Description

Rancher 2 through 2.2.4 is vulnerable to a Cross-Site Websocket Hijacking attack that allows an exploiter to gain access to clusters managed by Rancher. The attack requires a victim to be logged into a Rancher server, and then to access a third-party site hosted by the exploiter. Once that is accomplished, the exploiter is able to execute commands against the cluster's Kubernetes API with the permissions and identity of the victim.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

▶Gogithub.com/rancher_rancher2.0.0 — 2.0.16+3

▶NVDsuse/rancher2.0.0 — 2.2.4

🔴Vulnerability Details

OSV

Cross-site request forgery in github.com/rancher/rancher↗2021-05-18

▶

OSV

Rancher Vulnerable to Cross-site Request Forgery (CSRF)↗2021-05-18

▶

GHSA

Rancher Vulnerable to Cross-site Request Forgery (CSRF)↗2021-05-18

▶

CVEList

CVE-2019-13209: Rancher 2 through 2↗2019-09-04

▶