Rancher 2 through 2.2.4 is vulnerable to a Cross-Site Websocket Hijacking attack that allows an exploiter to gain access to clusters managed by Rancher. The attack requires a victim to be logged into a Rancher server, and then to access a third-party site hosted by the exploiter. Once that is accomplished, the exploiter is able to execute commands against the cluster's Kubernetes API with the permissions and identity of the victim.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| github.com/rancher/rancher(Go) | 2.0.0 | 2.0.16 | N/A |
| github.com/rancher/rancher(Go) | 2.1.0 | 2.1.11 | N/A |
| github.com/rancher/rancher(Go) | 2.2.0 | 2.2.5 | N/A |
CVSS Metrics
