CVE-2021-31999
published 2021-07-15CVE-2021-31999: A Reliance on Untrusted Inputs in a Security Decision vulnerability in Rancher allows users in the cluster to act as others users in the cluster by forging the…
PriorityP349high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
1.05%
60.1th percentile
A Reliance on Untrusted Inputs in a Security Decision vulnerability in Rancher allows users in the cluster to act as others users in the cluster by forging the "Impersonate-User" or "Impersonate-Group" headers. This issue affects: Rancher versions prior to 2.5.9. Rancher versions prior to 2.4.16.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | rancher_rancher | >= 2.0.0 < 2.4.16 | 2.4.16 |
| github.com | rancher_rancher | >= 2.0.0+incompatible | — |
| github.com | rancher_rancher | >= 2.5.0 < 2.5.9 | 2.5.9 |
| rancher | rancher | < 2.4.16 | 2.4.16 |
| rancher | rancher | >= 2.5.0 < 2.5.9 | 2.5.9 |
| rancher | rancher | >= Rancher < 2.5.9 | 2.5.9 |
| rancher | suse_linux_enterprise_server_15 | >= Rancher < 2.4.16 | 2.4.16 |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Rancher Privilege escalation vulnerability via malicious "Connection" header in github.com/rancher/rancher
osv·2024-06-10
CVE-2021-31999 Rancher Privilege escalation vulnerability via malicious "Connection" header in github.com/rancher/rancher
Rancher Privilege escalation vulnerability via malicious "Connection" header in github.com/rancher/rancher
Rancher Privilege escalation vulnerability via malicious "Connection" header in github.com/rancher/rancher.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.
(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)
The additional affected modules and versions are: github.com/rancher/rancher before v2.4.16, from v2.5.0 before v2.5.9.
GHSA
Rancher Privilege escalation vulnerability via malicious "Connection" header
ghsa·2024-04-24
CVE-2021-31999 [HIGH] CWE-807 Rancher Privilege escalation vulnerability via malicious "Connection" header
Rancher Privilege escalation vulnerability via malicious "Connection" header
A vulnerability was discovered in Rancher 2.0.0 through the aforementioned patched versions, where a malicious Rancher user could craft an API request directed at the proxy for the Kubernetes API of a managed cluster to gain access to information they do not have access to. This is done by passing the "Impersonate-User" or "Impersonate-Group" header in the Connection header, which is then correctly removed by the proxy. At this point, instead of impersonating the user and their permissions, the request will act as if it was from the Rancher management server and incorrectly return the information. The vulnerability is limited to valid Rancher users with some level of permissions on the cluster. There is not a dir
OSV
Rancher Privilege escalation vulnerability via malicious "Connection" header
osv·2024-04-24
CVE-2021-31999 [HIGH] Rancher Privilege escalation vulnerability via malicious "Connection" header
Rancher Privilege escalation vulnerability via malicious "Connection" header
A vulnerability was discovered in Rancher 2.0.0 through the aforementioned patched versions, where a malicious Rancher user could craft an API request directed at the proxy for the Kubernetes API of a managed cluster to gain access to information they do not have access to. This is done by passing the "Impersonate-User" or "Impersonate-Group" header in the Connection header, which is then correctly removed by the proxy. At this point, instead of impersonating the user and their permissions, the request will act as if it was from the Rancher management server and incorrectly return the information. The vulnerability is limited to valid Rancher users with some level of permissions on the cluster. There is not a dir
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2021-07-15
Published