CVE-2022-43758OS Command Injection in Rancher

CWE-78OS Command InjectionCWE-77Command InjectionCWE-88Argument Injection4 documents4 sources
Severity
6.8MEDIUMNVD
CNA7.6
EPSS
0.8%
top 26.71%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Suse RancherGithub.com Rancher Rancher
Timeline
PublishedFeb 7

Description

A Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in SUSE Rancher allows code execution for user with the ability to add an untrusted Helm catalog or modifying the URL configuration used to download KDM (only admin users by default) This issue affects: SUSE Rancher Rancher versions prior to 2.5.17; Rancher versions prior to 2.6.10; Rancher versions prior to 2.7.1.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:HExploitability: 0.9 | Impact: 5.9

Affected Packages3 packages

CVEListV5suse/rancherRancher2.5.17
NVDsuse/rancher2.5.02.5.17+2
Gogithub.com/rancher_rancher2.5.02.5.17+2

🔴Vulnerability Details

3
CVEList
Rancher: Command injection in Git package2023-02-07
GHSA
Command injection in Rancher Git package2023-01-25
OSV
Command injection in Rancher Git package2023-01-25
CVE-2022-43758 — OS Command Injection in Suse Rancher | cvebase