CVE-2025-23390Improper Certificate Validation in Rancher Fleet

CWE-295Improper Certificate Validation3 documents2 sources
Severity
MEDIUM
No vector
EPSS
No EPSS data
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Github.com Rancher Fleet
Timeline
PublishedApr 25
Latest updateMay 5

Description

Fleet doesn’t validate a server’s certificate when connecting through SSH ### Impact A vulnerability has been identified within Fleet where, by default, Fleet will automatically trust a remote server’s certificate when connecting through SSH if the certificate isn’t set in the `known_hosts` file. This could allow the execution of a man-in-the-middle (MitM) attack against Fleet. In case the server that is being connected to has a trusted entry in the known_hosts file, then Fleet will correctly c

Affected Packages1 packages

Gogithub.com/rancher_fleet0.9.0-rc.10.10.12+2

🔴Vulnerability Details

3
OSV
Fleet doesn’t validate a server’s certificate when connecting through SSH in github.com/rancher/fleet2025-05-05
OSV
Fleet doesn’t validate a server’s certificate when connecting through SSH2025-04-25
GHSA
Fleet doesn’t validate a server’s certificate when connecting through SSH2025-04-25
CVE-2025-23390 — Improper Certificate Validation | cvebase