Page 2 of 16 results (0.011 seconds)

CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0

A vulnerability has been identified in which Rancher does not automatically clean up a user which has been deleted from the configured authentication provider (AP). This characteristic also applies to disabled or revoked users, Rancher will not reflect these modifications which may leave the user’s tokens still usable. Se ha identificado una vulnerabilidad en la que Rancher no limpia automáticamente a un usuario que ha sido eliminado del proveedor de autenticación (AP) configurado. Esta característica también se aplica a los usuarios deshabilitados o revocados; Rancher no reflejará estas modificaciones, lo que puede dejar los tokens del usuario aún utilizables. • https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-22650 https://github.com/rancher/rancher/security/advisories/GHSA-9ghh-mmcq-8phc • CWE-287: Improper Authentication CWE-306: Missing Authentication for Critical Function •

CVSS: 8.4EPSS: 1%CPEs: 3EXPL: 0

A vulnerability has been identified which may lead to sensitive data being leaked into Rancher's audit logs. [Rancher Audit Logging](https://ranchermanager.docs.rancher.com/how-to-guides/advanced-user-guides/enable-api-audit-log) is an opt-in feature, only deployments that have it enabled and have [AUDIT_LEVEL](https://ranchermanager.docs.rancher.com/how-to-guides/advanced-user-guides/enable-api-audit-log#audit-log-levels) set to `1 or above` are impacted by this issue. Se ha identificado una vulnerabilidad que puede provocar la filtración de datos confidenciales en los registros de auditoría de Rancher. [Rancher Audit Logging](https://ranchermanager.docs.rancher.com/how-to-guides/advanced-user-guides/enable-api-audit-log) es una función opcional. Solo las implementaciones que la tienen habilitada y tienen [AUDIT_LEVEL](https://ranchermanager.docs.rancher.com/how-to-guides/advanced-user-guides/enable-api-audit-log#audit-log-levels) configurado en "1 o superior" se ven afectadas por este problema. • https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-22649 https://github.com/rancher/rancher/security/advisories/GHSA-xfj7-qf8w-2gcr • CWE-532: Insertion of Sensitive Information into Log File •

CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0

In Rancher 2.x before 2.6.13 and 2.7.x before 2.7.4, an incorrectly applied authorization check allows users who have certain access to a namespace to move that namespace to a different project. En Rancher 2.x anterior a 2.6.13 y 2.7.x anterior a 2.7.4, una verificación de autorización aplicada incorrectamente permite a los usuarios que tienen cierto acceso a un espacio de nombres mover ese espacio de nombres a un proyecto diferente. • https://forums.rancher.com/c/announcements https://github.com/advisories/GHSA-8vhc-hwhc-cpj4 https://github.com/rancher/rancher/releases/tag/v2.6.13 https://github.com/rancher/rancher/releases/tag/v2.7.4 • CWE-863: Incorrect Authorization •

CVSS: 8.4EPSS: 0%CPEs: 2EXPL: 0

An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SUSE Rancher allows users in some higher-privileged groups to to inject code that is executed within another user's browser, allowing the attacker to steal sensitive information, manipulate web content, or perform other malicious activities on behalf of the victims. This could result in a user with write access to the affected areas being able to act on behalf of an administrator, once an administrator opens the affected web page. This issue affects Rancher: from >= 2.6.0 before < 2.6.13, from >= 2.7.0 before < 2.7.4. • https://bugzilla.suse.com/show_bug.cgi?id=CVE-2022-43760 https://github.com/rancher/rancher/security/advisories/GHSA-46v3-ggjg-qq3x • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 9.9EPSS: 0%CPEs: 2EXPL: 0

An Improper Privilege Management vulnerability in SUSE Rancher allowed standard users to leverage their existing permissions to manipulate Kubernetes secrets in the local cluster, resulting in the secret being deleted, but their read-level permissions to the secret being preserved. When this operation was followed-up by other specially crafted commands, it could result in the user gaining access to tokens belonging to service accounts in the local cluster. This issue affects Rancher: from >= 2.6.0 before < 2.6.13, from >= 2.7.0 before < 2.7.4. • https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-22647 https://github.com/rancher/rancher/security/advisories/GHSA-p976-h52c-26p6 • CWE-267: Privilege Defined With Unsafe Actions CWE-269: Improper Privilege Management •