pkg:Go/github.com/rancher/rancher

All known vulnerabilities

• CRITICAL9.9CVE-2021-25320Rancher cloud credentials can be used through proxy API by users without access
  >= 2.2.0, < 2.4.16
• CRITICAL9.9CVE-2021-25320Rancher cloud credentials can be used through proxy API by users without access
  >= 2.2.0+incompatible
• CRITICAL9.9CVE-2021-36783Rancher doesn't properly sanitize credentials in cluster template answers
  >= 2.5.0, < 2.5.13
• CRITICAL9.9CVE-2023-22647Rancher vulnerable to Privilege Escalation via manipulation of Secrets
  >= 2.6.0, < 2.6.13
• CRITICAL9.9CVE-2023-22651Rancher Webhook is misconfigured during upgrade process
  >= 2.7.2, < 2.7.3
• CRITICAL9.9CVE-2021-36782Rancher API and cluster.management.cattle.io object vulnerable to plaintext storage and exposure of credentials
  >= 2.5.0, < 2.5.16
• CRITICAL9.8CVE-2019-11202Rancher Recreates Default User With Known Password Despite Deletion in github.com/rancher/rancher
  >= 2.0.0+incompatible, < 2.2.2+incompatible
• CRITICAL9.8CVE-2019-11202Rancher Recreates Default User With Known Password Despite Deletion in github.com/rancher/rancher
  >= 2.0.0, <= 2.0.13
• CRITICAL9.1CVE-2022-31247Rancher has downstream cluster privilege escalation through cluster and project role template binding (CRTB/PRTB)
  >= 2.5.0, < 2.5.16
• CRITICAL9.1CVE-2025-23391Rancher: Restricted Administrator can change Administrator's passwords
  from 0
• CRITICAL9.1CVE-2025-23391Rancher: Restricted Administrator can change Administrator's passwords
  >= 2.8.0, < 2.8.14
• CRITICAL9.1CVE-2024-22036Rancher Remote Code Execution via Cluster/Node Drivers
  from 0
• CRITICAL9.1CVE-2024-22036Rancher Remote Code Execution via Cluster/Node Drivers
  >= 2.7.0, < 2.7.16
• CRITICAL9.1CVE-2022-45157Exposure of vSphere's CPI and CSI credentials in Rancher
  >= 2.9.0, < 2.9.3
• CRITICAL9.1CVE-2022-45157Exposure of vSphere's CPI and CSI credentials in Rancher
  from 0
• HIGH8.9CVE-2024-52281Rancher UI has Stored Cross-site Scripting vulnerability
  >= 2.9.0, < 2.9.4
• HIGH8.9CVE-2024-52281Rancher UI has Stored Cross-site Scripting vulnerability
  from 0
• HIGH8.8CVE-2023-22650Rancher does not automatically clean up a user deleted or disabled from the configured Authentication Provider
  >= 2.7.0, < 2.7.14
• HIGH8.8CVE-2023-22650Rancher does not automatically clean up a user deleted or disabled from the configured Authentication Provider
  from 0
• HIGH8.8CVE-2021-25318Rancher does not properly specify ApiGroup when creating Kubernetes RBAC resources in github.com/rancher/rancher
  >= 2.0.0, < 2.4.16
• HIGH8.8CVE-2021-25318Rancher does not properly specify ApiGroup when creating Kubernetes RBAC resources in github.com/rancher/rancher
  >= 2.0.0+incompatible
• HIGH8.8CVE-2021-31999Rancher Privilege escalation vulnerability via malicious "Connection" header in github.com/rancher/rancher
  >= 2.0.0+incompatible
• HIGH8.8CVE-2021-31999Rancher Privilege escalation vulnerability via malicious "Connection" header in github.com/rancher/rancher
  >= 2.0.0, < 2.4.16
• HIGH8.8CVE-2021-36776Rancher's Steve API Component Improper authorization check allows privilege escalation in github.com/rancher/rancher
  from 0
• HIGH8.8CVE-2021-36776Rancher's Steve API Component Improper authorization check allows privilege escalation in github.com/rancher/rancher
  >= 2.5.0, < 2.5.10
• HIGH8.8CVE-2020-10676Rancher users retain access after moving namespaces into projects they don't have access to
  >= 2.6.0, < 2.6.13
• HIGH8.8CVE-2022-43757Plaintext storage of sensitive data in Rancher API and cluster.management.cattle.io objects
  >= 2.5.0, < 2.5.17
• HIGH8.8CVE-2019-12303Rancher code injection via fluentd config commands in github.com/rancher/rancher
  >= 2.0.0+incompatible, < 2.2.4+incompatible
• HIGH8.8CVE-2019-12303Rancher code injection via fluentd config commands in github.com/rancher/rancher
  >= 2.0.0, < 2.2.4
• HIGH8.8CVE-2019-12274Rancher Privilege Escalation Vulnerability in github.com/rancher/rancher
  >= 2.0.0, < 2.2.4
• HIGH8.8CVE-2019-12274Rancher Privilege Escalation Vulnerability in github.com/rancher/rancher
  from 0, < 1.6.27, >= 2.0.0+incompatible, < 2.2.4+incompatible
• HIGH8.8CVE-2017-7297Rancher Access Control Vulnerability in github.com/rancher/rancher
  >= 1.5.0, < 1.5.3
• HIGH8.8CVE-2017-7297Rancher Access Control Vulnerability in github.com/rancher/rancher
  >= 1.2.0, < 1.2.4, >= 1.3.0, < 1.3.5, >= 1.4.0, < 1.4.3, >= 1.5.0, < 1.5.3
• HIGH8.7CVE-2019-13209Cross-site request forgery in github.com/rancher/rancher
  >= 2.0.0, < 2.0.16
• HIGH8.7CVE-2019-13209Cross-site request forgery in github.com/rancher/rancher
  from 0, < 2.2.5-rc6.0.20190621200032-0ddffe484adc+incompatible
• HIGH8.5CVE-2024-22031Rancher users who can create Projects can gain access to arbitrary projects
  >= 2.8.0, < 2.9.9
• HIGH8.5CVE-2024-22031Rancher users who can create Projects can gain access to arbitrary projects
  from 0
• HIGH8.4CVE-2026-25705Rancher Extensions have arbitrary file access via path traversal
  >= 2.14.0, < 2.14.1
• HIGH8.4CVE-2025-23389Rancher does not Properly Validate Account Bindings in SAML Authentication Enables User Impersonation on First Login
  from 0
• HIGH8.4CVE-2025-23389Rancher does not Properly Validate Account Bindings in SAML Authentication Enables User Impersonation on First Login
  >= 2.8.0, < 2.8.13
• HIGH8.4CVE-2022-43760Rancher UI has multiple Cross-Site Scripting (XSS) issues
  >= 2.6.0, < 2.6.13
• HIGH8.3CVE-2025-67601Rancher CLI skips TLS verification on Rancher CLI login command
  from 0, < 0.0.0-20260129092249-bb0625fd1896
• HIGH8.3CVE-2025-67601Rancher CLI skips TLS verification on Rancher CLI login command
  from 0
• HIGH8.3CVE-2021-36778Exposure of repository credentials to external third-party sources in Rancher
  >= 2.6.0, < 2.6.3
• HIGH8.2CVE-2024-58259Rancher affected by unauthenticated Denial of Service in github.com/rancher/rancher
  >= 2.12.0, < 2.12.1
• HIGH8.2CVE-2024-58259Rancher affected by unauthenticated Denial of Service in github.com/rancher/rancher
  from 0, < 0.0.0-20250813072957-aee95d4e2a41
• HIGH8.2CVE-2025-23388Rancher allows an unauthenticated stack overflow in /v3-public/authproviders API
  >= 2.8.0, < 2.8.13
• HIGH8.2CVE-2025-23388Rancher allows an unauthenticated stack overflow in /v3-public/authproviders API
  from 0
• HIGH8.1CVE-2019-6287Rancher Project Members Have Continued Access to Namespaces After Being Removed From Them in github.com/rancher/rancher
  >= 2.0.0+incompatible, < 2.1.6+incompatible
• HIGH8.1CVE-2019-6287Rancher Project Members Have Continued Access to Namespaces After Being Removed From Them in github.com/rancher/rancher
  >= 2.0.0, < 2.1.6
• HIGH8.1CVE-2021-4200Write access to the catalog for any user when restricted-admin role is enabled in Rancher
  >= 2.6.0, < 2.6.4
• HIGH8.0CVE-2023-22648Rancher's Azure AD permission changes are not reflected on active sessions
  >= 2.6.7, < 2.6.13
• HIGH8.0CVE-2024-58267Rancher CLI SAML authentication is vulnerable to phishing attacks
  >= 2.12.0, < 2.12.2
• HIGH8.0CVE-2024-58267Rancher CLI SAML authentication is vulnerable to phishing attacks
  from 0
• HIGH8.0CVE-2024-22030Rancher agents can be hijacked by taking over the Rancher Server URL
  >= 2.7.0, < 2.7.15
• HIGH8.0CVE-2024-22030Rancher agents can be hijacked by taking over the Rancher Server URL
  from 0
• HIGH8.0CVE-2021-36775Rancher's Failure to delete orphaned role bindings does not revoke project level access from group based authentication in github.com/rancher/rancher
  from 0, < 2.4.18
• HIGH8.0CVE-2021-36775Rancher's Failure to delete orphaned role bindings does not revoke project level access from group based authentication in github.com/rancher/rancher
  from 0
• HIGH7.7CVE-2023-22649Rancher 'Audit Log' leaks sensitive information
  from 0
• HIGH7.7CVE-2023-22649Rancher 'Audit Log' leaks sensitive information
  >= 2.6.0, < 2.6.14
• HIGH7.6CVE-2024-58260Rancher update on users can deny the service to the admin
  from 0
• HIGH7.6CVE-2024-58260Rancher update on users can deny the service to the admin
  >= 2.12.0, < 2.12.2
• HIGH7.4CVE-2022-21953Authenticated user can gain unauthorized shell pod and kubectl access in the local cluster
  >= 2.5.0, < 2.5.17
• HIGH7.2CVE-2023-32194Rancher permissions on 'namespaces' in any API group grants 'edit' permissions on namespaces in 'core'
  from 0
• HIGH7.2CVE-2023-32194Rancher permissions on 'namespaces' in any API group grants 'edit' permissions on namespaces in 'core'
  >= 2.6.0, < 2.6.14
• HIGH7.2CVE-2022-43759Privilege escalation in project role template binding (PRTB) and -promoted roles
  >= 2.5.0, < 2.5.17
• HIGH7.1CVE-2022-43755Rancher cattle-token is predictable
  >= 2.6.0, < 2.6.10
• MEDIUM6.8CVE-2022-21951Rancher's weave CNI password is not configured when a cluster is created from an RKE template
  >= 2.6.0, < 2.6.5
• MEDIUM6.8CVE-2022-43758Command injection in Rancher Git package
  >= 2.5.0, < 2.5.17
• MEDIUM6.6CVE-2023-32196Rancher allows privilege escalation in Windows nodes due to Insecure Access Control Lists in github.com/rancher/rancher
  from 0
• MEDIUM6.6CVE-2023-32196Rancher allows privilege escalation in Windows nodes due to Insecure Access Control Lists in github.com/rancher/rancher
  >= 2.7.0, < 2.8.9
• MEDIUM6.6CVE-2023-32196Rancher allows privilege escalation in Windows nodes due to Insecure Access Control Lists in github.com/rancher/rancher
  >= 2.7.0, < 2.7.14
• MEDIUM6.6CVE-2023-32196Rancher allows privilege escalation in Windows nodes due to Insecure Access Control Lists in github.com/rancher/rancher
  from 0
• MEDIUM6.5CVE-2024-22032Rancher's RKE1 Encryption Config kept in plain-text within cluster AppliedSpec
  >= 2.7.0, < 2.7.14
• MEDIUM6.5CVE-2024-22032Rancher's RKE1 Encryption Config kept in plain-text within cluster AppliedSpec
  from 0
• MEDIUM6.5CVE-2021-36784Privilege escalation for users with create/update permissions in Global Roles in Rancher
  >= 2.6.0, < 2.6.4
• MEDIUM6.2CVE-2024-52282Rancher Helm Applications may have sensitive values leaked
  >= 2.8.0, < 2.8.10
• MEDIUM6.2CVE-2024-52282Rancher Helm Applications may have sensitive values leaked
  from 0
• MEDIUM6.1CVE-2021-25313Rancher Cross-site Scripting Vulnerability
  >= 2.5.0, < 2.5.6
• MEDIUM5.3CVE-2025-23387Rancher's SAML-based login via CLI can be denied by unauthenticated users
  >= 2.8.0, < 2.8.13
• MEDIUM5.3CVE-2025-23387Rancher's SAML-based login via CLI can be denied by unauthenticated users
  from 0
• MEDIUM4.7CVE-2025-54468Rancher sends sensitive information to external services through the `/meta/proxy` endpoint
  from 0
• MEDIUM4.7CVE-2025-54468Rancher sends sensitive information to external services through the `/meta/proxy` endpoint
  >= 2.12.0, < 2.12.2
• MEDIUM4.7CVE-2019-11881Rancher Login Parameter Can Be Edited in github.com/rancher/rancher
  from 0, <= 2.1.4
• MEDIUM4.7CVE-2019-11881Rancher Login Parameter Can Be Edited in github.com/rancher/rancher
  from 0
• MEDIUM4.3CVE-2024-58269Rancher exposes sensitive information through audit logs in github.com/rancher/rancher
  from 0, < 0.0.0-20251013203444-50dc516a19ea
• MEDIUM4.3CVE-2024-58269Rancher exposes sensitive information through audit logs in github.com/rancher/rancher
  from 0, < 0.0.0-20251013203444-50dc516a19ea
• MEDIUM4.3CVE-2023-32199Rancher user retains access to clusters despite Global Role removal in github.com/rancher/rancher
  from 0, < 0.0.0-20251014212116-7faa74a968c2
• MEDIUM4.3CVE-2023-32199Rancher user retains access to clusters despite Global Role removal in github.com/rancher/rancher
  from 0, < 0.0.0-20251014212116-7faa74a968c2
• MEDIUM4.2CVE-2018-20321Access Control Bypass in github.com/rancher/rancher
  >= 2.0.0, < 2.1.6
• MEDIUM4.2CVE-2018-20321Access Control Bypass in github.com/rancher/rancher
  >= 2.0.0+incompatible, < 2.1.6+incompatible