Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS0ydjJ3LTh2OGMtd2NtOc4ABDXl

Rancher UI has Stored Cross-site Scripting vulnerability

Impact

A vulnerability has been identified within Rancher UI that allows a malicious actor to perform a Stored XSS attack through the cluster description field.

Please consult the associated MITRE ATT&CK - Technique - Drive-by Compromise for further information about this category of attack.

Patches

The fix introduces new changes in the directives responsible for sanitizing HTML code before rendering.

We replaced the v-tooltip directive with the v-clean-tooltip directive.

Patched versions include releases 2.9.4 and 2.10.0.

Workarounds

There are no workarounds for this issue. Users are recommended to upgrade, as soon as possible, to a version of /Rancher Manager which contains the fixes.

Credits

This issue was identified and reported by Bhavin Makwana from Workday’s Cyber Defence Team.

For more information

If you have any questions or comments about this advisory:

Reach out to the SUSE Rancher Security team for security related inquiries.
Open an issue in the Rancher repository.
Verify with our support matrix and product support lifecycle.

Permalink: https://github.com/advisories/GHSA-2v2w-8v8c-wcm9
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0ydjJ3LTh2OGMtd2NtOc4ABDXl
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 3 days ago
Updated: 3 days ago

CVSS Score: 8.9
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L

Identifiers: GHSA-2v2w-8v8c-wcm9, CVE-2024-52281
References:

Repository: https://github.com/rancher/rancher
Blast Radius: 14.3

Affected Packages

go:github.com/rancher/rancher

Dependent packages: 30
Dependent repositories: 40
Downloads:
Affected Version Ranges: >= 2.9.0, < 2.9.4
Fixed in: 2.9.4
All affected versions:
All unaffected versions: 0.4.0, 0.4.2, 0.4.3, 0.5.0, 0.6.0, 0.7.0, 0.8.0, 0.9.0, 0.9.1, 0.10.0, 0.10.1, 0.11.0, 0.11.1, 0.12.0, 0.13.0, 0.13.1, 0.14.0, 0.14.1, 0.14.2, 0.15.0, 0.15.1, 0.16.0, 0.16.1, 0.16.2, 0.16.3, 0.17.0, 0.17.1, 0.18.0, 0.18.1, 0.18.2, 0.19.0, 0.19.1, 0.19.2, 0.20.0, 0.20.1, 0.20.2, 0.20.3, 0.20.4, 0.21.0, 0.21.1, 0.21.2, 0.21.3, 0.21.4, 0.24.0, 0.25.0, 0.28.0, 0.30.0, 0.31.0, 0.32.0, 0.34.0, 0.35.0, 0.37.0, 0.37.1, 0.38.0, 0.38.1, 0.39.0, 0.40.0, 0.41.0, 0.42.0, 0.43.0, 0.43.1, 0.44.0, 0.46.0, 0.47.0, 0.49.0, 0.49.1, 0.50.0, 0.50.1, 0.50.2, 0.51.0, 0.56.0, 0.56.1, 0.59.0, 0.59.1, 0.63.0, 0.63.1, 1.0.0, 1.0.1, 1.0.2, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.5.5, 1.5.6, 1.5.7, 1.5.8, 1.5.9, 1.5.10, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.6.4, 1.6.5, 1.6.6, 1.6.7, 1.6.8, 1.6.9, 1.6.10, 1.6.11, 1.6.12, 1.6.13, 1.6.14, 1.6.15, 1.6.16, 1.6.17, 1.6.18, 1.6.19, 1.6.20, 1.6.21, 1.6.22, 1.6.23, 1.6.24, 1.6.25, 1.6.26, 1.6.27, 1.6.28, 1.6.29, 1.6.30, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.0.9, 2.0.10, 2.0.11, 2.0.12, 2.0.13, 2.0.14, 2.0.15, 2.0.16, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.1.7, 2.1.8, 2.1.9, 2.1.10, 2.1.11, 2.1.12, 2.1.13, 2.1.14, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.2.7, 2.2.8, 2.2.9, 2.2.10, 2.2.11, 2.2.12, 2.2.13