CVE-2025-23387
published 2025-04-11CVE-2025-23387: A Exposure of Sensitive Information to an Unauthorized Actor vulnerability in SUSE rancher allowed unauthenticated users to list all CLI authentication tokens…
PriorityP428medium5.3CVSS 3.1
AVNACLPRNUINSUCNINAL
EPSS
0.48%
37.8th percentile
A Exposure of Sensitive Information to an Unauthorized Actor vulnerability in SUSE rancher allowed unauthenticated users to list all CLI authentication tokens and delete them before the CLI is able to get the token value.This issue affects rancher: from 2.8.0 before 2.8.13, from 2.9.0 before 2.9.7, from 2.10.0 before 2.10.3.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | rancher_rancher | >= 2.10.0 < 2.10.3 | 2.10.3 |
| github.com | rancher_rancher | >= 2.8.0 < 2.8.13 | 2.8.13 |
| github.com | rancher_rancher | >= 2.9.0 < 2.9.7 | 2.9.7 |
| suse | rancher | >= 2.10.0 < 2.10.3 | 2.10.3 |
| suse | rancher | >= 2.8.0 < 2.8.13 | 2.8.13 |
| suse | rancher | >= 2.9.0 < 2.9.7 | 2.9.7 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Rancher's SAML-based login via CLI can be denied by unauthenticated users in github.com/rancher/rancher
osv·2025-03-03
CVE-2025-23387 Rancher's SAML-based login via CLI can be denied by unauthenticated users in github.com/rancher/rancher
Rancher's SAML-based login via CLI can be denied by unauthenticated users in github.com/rancher/rancher
Rancher's SAML-based login via CLI can be denied by unauthenticated users in github.com/rancher/rancher.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.
(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)
The additional affected modules and versions are: github.com/rancher/rancher from v2.8.0 before v2.8.13, from v2.9.0 before v2.9.7, from v2.10.0 before v2.10.3.
GHSA
Rancher's SAML-based login via CLI can be denied by unauthenticated users
ghsa·2025-02-27
CVE-2025-23387 [MEDIUM] CWE-200 Rancher's SAML-based login via CLI can be denied by unauthenticated users
Rancher's SAML-based login via CLI can be denied by unauthenticated users
### Impact
A vulnerability has been identified within Rancher where it is possible for an unauthenticated user to list all CLI authentication tokens and delete them before the CLI is able to get the token value. This effectively prevents users from logging in via the CLI when using rancher token as the execution command (instead of the token directly being in the kubeconfig).
Note that this token is not the kubeconfig token and if an attacker is able to intercept it they can't use it to impersonate a real user since it is encrypted.
This happens because for SAML-based authentication providers, the login flow from the CLI works by generating a link to be pasted in the browser, and then polling every 10 seconds for
OSV
Rancher's SAML-based login via CLI can be denied by unauthenticated users
osv·2025-02-27
CVE-2025-23387 [MEDIUM] Rancher's SAML-based login via CLI can be denied by unauthenticated users
Rancher's SAML-based login via CLI can be denied by unauthenticated users
### Impact
A vulnerability has been identified within Rancher where it is possible for an unauthenticated user to list all CLI authentication tokens and delete them before the CLI is able to get the token value. This effectively prevents users from logging in via the CLI when using rancher token as the execution command (instead of the token directly being in the kubeconfig).
Note that this token is not the kubeconfig token and if an attacker is able to intercept it they can't use it to impersonate a real user since it is encrypted.
This happens because for SAML-based authentication providers, the login flow from the CLI works by generating a link to be pasted in the browser, and then polling every 10 seconds for
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-04-11
Published