CVE-2024-52280Sensitive Information Exposure in Rancher

CWE-200Sensitive Information ExposureCWE-287Improper Authentication5 documents4 sources
Severity
7.7HIGHNVD
EPSS
0.2%
top 57.56%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Suse RancherGithub.com Rancher Steve
Timeline
PublishedApr 11

Description

A Exposure of Sensitive Information to an Unauthorized Actor vulnerability in SUSE rancher which allows users to watch resources they are not allowed to access, when they have at least some generic permissions on the type. This issue affects rancher: before 2175e09, before 6e30359, before c744f0b.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:NExploitability: 3.1 | Impact: 4.0

Affected Packages2 packages

CVEListV5suse/rancher< 2175e09+2
Gogithub.com/rancher_steve< 0.0.0-20241029132712-2175e090fe4b

🔴Vulnerability Details

4
CVEList
Users can issue watch commands for arbitrary resources2025-04-11
OSV
github.com/rancher/steve's users can issue watch commands for arbitrary resources in github.com/rancher/steve2024-11-21
GHSA
github.com/rancher/steve's users can issue watch commands for arbitrary resources2024-11-20
OSV
github.com/rancher/steve's users can issue watch commands for arbitrary resources2024-11-20
CVE-2024-52280 — Sensitive Information Exposure | cvebase