CVE-2019-12274

HIGH8.8EPSS 0.19%

Rancher Privilege Escalation Vulnerability

發布日:2022/5/24修改日:2024/8/20

也稱為:GHSA-gc62-j469-9gjmGO-2023-1991

描述

In Rancher 1 and 2 through 2.2.3, unprivileged users (if allowed to deploy nodes) can gain admin access to the Rancher management plane because node driver options intentionally allow posting certain data to the cloud. The problem is that a user could choose to post a sensitive file such as /root/.kube/config or /var/lib/rancher/management-state/cred/kubeconfig-system.yaml.

受影響套件(2)

Go/github.com/rancher/rancher>= 2.0.0, < 2.2.4
Go/github.com/rancher/rancherfrom 0, < 1.6.27, >= 2.0.0+incompatible, < 2.2.4+incompatible

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	HIGH8.8	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

參考連結(3)

ADVISORYhttps://github.com/advisories/GHSA-gc62-j469-9gjm
ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2019-12274
WEBhttps://forums.rancher.com/t/rancher-release-v2-2-4-addresses-rancher-cve-2019-12274-and-cve-2019-12303/14466