Github.Com Rancher Rancher vulnerabilities
56 known vulnerabilities affecting github.com/rancher_rancher.
Total CVEs
56
CISA KEV
0
Public exploits
2
Exploited in wild
0
Severity breakdown
CRITICAL12HIGH31MEDIUM13
Vulnerabilities
Page 3 of 3
CVE-2022-21951P3MEDIUM≥ 2.6.0, < 2.6.5≥ 2.5.0, < 2.5.142026-03-03
CVE-2022-21951 [MEDIUM] CWE-311 Rancher's weave CNI password is not configured when a cluster is created from an RKE template
Rancher's weave CNI password is not configured when a cluster is created from an RKE template
### Impact
This vulnerability only affects customers using [Weave](https://rancher.com/docs/rancher/v2.6/en/faq/networking/cni-providers/#weave) CNI (Container Network Interface) when configured through [RKE templates](https://rancher.com/docs/rancher/v2.6/en/admin-settings/rke
ghsaosv
CVE-2024-22032P3HIGH≥ 2.7.0, < 2.7.14≥ 2.8.0, < 2.8.52024-06-17
CVE-2024-22032 [HIGH] CWE-200 Rancher's RKE1 Encryption Config kept in plain-text within cluster AppliedSpec
Rancher's RKE1 Encryption Config kept in plain-text within cluster AppliedSpec
### Impact
This issue is only relevant to clusters provisioned using RKE1 with secrets encryption configuration enabled.
A vulnerability has been identified in which an RKE1 cluster keeps constantly reconciling when secrets encryption configuration is enabled (please see the [RKE documentation](https://rke.do
ghsaosv
CVE-2022-43760P3MEDIUM≥ 2.6.0, < 2.6.13≥ 2.7.0, < 2.7.42023-06-06
CVE-2022-43760 [MEDIUM] CWE-79 Rancher UI has multiple Cross-Site Scripting (XSS) issues
Rancher UI has multiple Cross-Site Scripting (XSS) issues
### Impact
Multiple Cross-Site Scripting (XSS) vulnerabilities have been identified in the Rancher UI.
Cross-Site scripting allows a malicious user to inject code that is executed within another user's browser, allowing the attacker to steal sensitive information, manipulate web content, or perform other malicious activities on behalf of the victims.
ghsaosv
CVE-2023-32196P3HIGH≥ 2.7.0, < 2.7.14≥ 2.8.0, < 2.8.52024-06-17
CVE-2023-32196 [HIGH] CWE-269 Rancher's External RoleTemplates can lead to privilege escalation
Rancher's External RoleTemplates can lead to privilege escalation
### Impact
A vulnerability has been identified whereby privilege escalation checks are not properly enforced for `RoleTemplate`objects when external=true, which in specific scenarios can lead to privilege escalation.
The bug in the webhook rule resolver ignores rules from a `ClusterRole` for external `RoleTemplates` when its context i
ghsaosv
CVE-2021-4200P4HIGH≥ 2.6.0, < 2.6.4≥ 2.5.0, < 2.5.132022-05-02
CVE-2021-4200 [HIGH] CWE-269 Write access to the catalog for any user when restricted-admin role is enabled in Rancher
Write access to the catalog for any user when restricted-admin role is enabled in Rancher
### Impact
This vulnerability only affects customers using the [`restricted-admin`](https://rancher.com/docs/rancher/v2.6/en/admin-settings/rbac/global-permissions/#restricted-admin) role in Rancher. For this role to be active, Rancher must be bootstrapped with the environment variable `C
ghsaosv
CVE-2025-23387P4MEDIUM≥ 2.8.0, < 2.8.13≥ 2.9.0, < 2.9.7+1 more2025-02-27
CVE-2025-23387 [MEDIUM] CWE-200 Rancher's SAML-based login via CLI can be denied by unauthenticated users
Rancher's SAML-based login via CLI can be denied by unauthenticated users
### Impact
A vulnerability has been identified within Rancher where it is possible for an unauthenticated user to list all CLI authentication tokens and delete them before the CLI is able to get the token value. This effectively prevents users from logging in via the CLI when using rancher token as the execution comma
ghsaosv
CVE-2022-29810P4MEDIUMCVSS 5.5≥ 0, < 2.5.13≥ 2.6.0, < 2.6.42022-04-27
CVE-2022-29810 [MEDIUM] CWE-200 Exposure of SSH credentials in Rancher/Fleet
Exposure of SSH credentials in Rancher/Fleet
### Impact
This vulnerability only affects customers using Fleet for continuous delivery with authenticated Git and/or Helm repositories.
A security vulnerability ([CVE-2022-29810](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29810)) was discovered in `go-getter` library in versions prior to [`v1.5.11`](https://github.com/hashicorp/go-getter/releases/tag/v1.5.11)
ghsaosv
CVE-2019-13209P4HIGH≥ 2.0.0, < 2.0.16≥ 2.1.0, < 2.1.11+1 more2021-05-18
CVE-2019-13209 [HIGH] CWE-352 Rancher Vulnerable to Cross-site Request Forgery (CSRF)
Rancher Vulnerable to Cross-site Request Forgery (CSRF)
Rancher 2 through 2.2.4 is vulnerable to a Cross-Site Websocket Hijacking attack that allows an exploiter to gain access to clusters managed by Rancher. The attack requires a victim to be logged into a Rancher server, and then to access a third-party site hosted by the exploiter. Once that is accomplished, the exploiter is able to execute commands against
ghsaosv
CVE-2024-52282P4MEDIUM≥ 2.8.0, < 2.8.10≥ 2.9.0, < 2.9.42024-11-20
CVE-2024-52282 [MEDIUM] CWE-200 Rancher Helm Applications may have sensitive values leaked
Rancher Helm Applications may have sensitive values leaked
### Impact
A vulnerability has been identified within Rancher Manager whereby applications installed via Rancher Manager Apps Catalog store their Helm values directly into the `Apps` Custom Resource Definition, resulting in any users with `GET` access to it to be able to read any sensitive information that are contained within the Apps’ values. Ad
ghsaosv
CVE-2021-25313P4MEDIUM≥ 2.5.0, < 2.5.6≥ 2.4.0, < 2.4.14+1 more2022-05-24
CVE-2021-25313 [MEDIUM] CWE-79 Rancher Cross-site Scripting Vulnerability
Rancher Cross-site Scripting Vulnerability
A Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rancher allows remote attackers to execute JavaScript via malicious links. This issue affects: SUSE Rancher Rancher versions prior to 2.5.6.
ghsaosv
CVE-2019-11881P4MEDIUM≥ 0, ≤ 2.1.42022-05-24
CVE-2019-11881 [MEDIUM] Rancher Login Parameter Can Be Edited
Rancher Login Parameter Can Be Edited
A vulnerability exists in Rancher 2.1.4 in the login component, where the `errorMsg` parameter can be tampered to display arbitrary content, filtering tags but not special characters or symbols. There's no other limitation of the message, allowing malicious users to lure legitimate users to visit phishing sites with scare tactics, e.g., displaying a "This version of Rancher is outdated, please vi
ghsaosv
CVE-2025-54468P4MEDIUM≥ 2.12.0, < 2.12.2≥ 2.11.0, < 2.11.6+2 more2025-09-26
CVE-2025-54468 [MEDIUM] CWE-200 Rancher sends sensitive information to external services through the `/meta/proxy` endpoint
Rancher sends sensitive information to external services through the `/meta/proxy` endpoint
### Impact
A vulnerability has been identified within Rancher Manager whereby `Impersonate-Extra-*` headers are being sent to an external entity, for example `amazonaws.com`, via the `/meta/proxy` Rancher endpoint. These headers may contain identifiable and/or sensitive information
ghsaosv
CVE-2025-67601P4HIGH≥ 0, < 0.0.0-20260129092249-bb0625fd1896≥ 2.13.0, < 2.13.2+3 more2026-02-01
CVE-2025-67601 [HIGH] CWE-295 Rancher CLI skips TLS verification on Rancher CLI login command
Rancher CLI skips TLS verification on Rancher CLI login command
### Impact
A vulnerability has been identified within Rancher Manager, where using self-signed CA certificates and passing the `-skip-verify` flag to the Rancher CLI login command without also passing the `–cacert` flag results in the CLI attempting to fetch CA certificates stored in Rancher’s setting cacerts. This does not apply to any ot
ghsaosv
CVE-2024-58269P4MEDIUM≥ 0, < 0.0.0-20251013203444-50dc516a19ea2025-10-24
CVE-2024-58269 [MEDIUM] CWE-532 Rancher exposes sensitive information through audit logs
Rancher exposes sensitive information through audit logs
### Impact
**Note: The exploitation of this issue requires that the malicious user have access to Rancher’s audit log storage.**
A vulnerability has been identified in Rancher Manager, where sensitive information, including secret data, cluster import URLs, and registration tokens, is exposed to any entity with access to Rancher audit logs. This happ
ghsaosv
CVE-2023-32199P4MEDIUM≥ 0, < 0.0.0-20251014212116-7faa74a968c22025-10-24
CVE-2023-32199 [MEDIUM] CWE-281 Rancher user retains access to clusters despite Global Role removal
Rancher user retains access to clusters despite Global Role removal
### Impact
A vulnerability has been identified within Rancher Manager, where after removing a custom GlobalRole that gives administrative access or the corresponding binding, the user still retains access to clusters.
This only affects custom Global Roles that:
- Have a `*` on `*` in `*` rule for resources
- Have a `*` on `*` rul
ghsaosv
CVE-2024-22031HIGH≥ 2.8.0, < 2.9.9≥ 2.10.0, < 2.10.5+1 more2025-04-25
CVE-2024-22031 [HIGH] CWE-863 Rancher users who can create Projects can gain access to arbitrary projects
Rancher users who can create Projects can gain access to arbitrary projects
### Impact
A vulnerability has been identified within Rancher where a user with the ability to create a project, on a certain cluster, can create a project with the same name as an existing project in a different cluster. This results in the user gaining access to the other project in the different cluster, resultin
ghsaosv
← Previous3 / 3