CVE-2025-23388

HIGH8.2EPSS 0.71%

Rancher allows an unauthenticated stack overflow in /v3-public/authproviders API

發布日:2025/2/27修改日:2025/5/27

描述

### Impact An unauthenticated stack overflow crash, leading to a denial of service (DoS), was identified in Rancher’s `/v3-public/authproviders` public API endpoint. A malicious user could submit data to the API which would cause the Rancher server to crash, but no malicious or incorrect data would actually be written in the API. The downstream clusters, i.e., the clusters managed by Rancher, are not affected by this issue. This vulnerability affects those using external authentication providers as well as Rancher’s local authentication. ### Patches The patch includes the removal of unnecessary HTTP methods of the specific API. Patched versions include releases `v2.8.13`, `v2.9.7` and `v2.10.3`. ### Workarounds There are no workarounds for this issue. Users are recommended to upgrade, as soon as possible, to a version of Rancher Manager that contains the fix. ### References If you have any questions or comments about this advisory: - Reach out to the [SUSE Rancher Security team](https://github.com/rancher/rancher/security/policy) for security related inquiries. - Open an issue in the [Rancher](https://github.com/rancher/rancher/issues/new/choose) repository. - Verify with our [support matrix](https://www.suse.com/suse-rancher/support-matrix/all-supported-versions/) and [product support lifecycle](https://www.suse.com/lifecycle/).

受影響套件(2)

CVSS 分數

來源版本嚴重程度向量
osvCVSS 3.1HIGH8.2CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

參考連結(13)