CVSS: 9.9EPSS: 81%CPEs: 2EXPL: 4CVE-2021-36782 – Rancher: Plaintext storage and exposure of credentials in Rancher API and cluster.management.cattle.io object
https://notcve.org/view.php?id=CVE-2021-36782
07 Sep 2022 — A Cleartext Storage of Sensitive Information vulnerability in SUSE Rancher allows authenticated Cluster Owners, Cluster Members, Project Owners, Project Members and User Base to use the Kubernetes API to retrieve plaintext version of sensitive data. This issue affects: SUSE Rancher Rancher versions prior to 2.5.16; Rancher versions prior to 2.6.7. Una vulnerabilidad de Almacenamiento en Texto sin Cifrar de Información confidencial en SUSE Rancher permite a propietarios de clústeres, los miembros de clústere... • https://packetstorm.news/files/id/180695 • CWE-312: Cleartext Storage of Sensitive Information •
CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 1CVE-2022-21951 – Rancher: Weave CNI password is not set if RKE template is used with CNI value overridden
https://notcve.org/view.php?id=CVE-2022-21951
25 May 2022 — A Cleartext Transmission of Sensitive Information vulnerability in SUSE Rancher, Rancher allows attackers on the network to read and change network data due to missing encryption of data transmitted via the network when a cluster is created from an RKE template with the CNI value overridden This issue affects: SUSE Rancher Rancher versions prior to 2.5.14; Rancher versions prior to 2.6.5. Una vulnerabilidad de Falta de Cifrado de Datos Confidenciales en SUSE Rancher, Rancher permite a atacantes en la red le... • https://bugzilla.suse.com/show_bug.cgi?id=1199443 • CWE-319: Cleartext Transmission of Sensitive Information •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2021-4200 – Write access to the Catalog for any user when restricted-admin role is enabled
https://notcve.org/view.php?id=CVE-2021-4200
02 May 2022 — A Improper Privilege Management vulnerability in SUSE Rancher allows write access to the Catalog for any user when restricted-admin role is enabled. This issue affects: SUSE Rancher Rancher versions prior to 2.5.13; Rancher versions prior to 2.6.4. Una vulnerabilidad de administración de privilegios inapropiada en SUSE Rancher permite el acceso de escritura al catálogo para cualquier usuario cuando el rol de administrador restringido está habilitado. Este problema afecta a: SUSE Rancher versiones anteriores... • https://bugzilla.suse.com/show_bug.cgi?id=1193992 • CWE-269: Improper Privilege Management •
CVSS: 7.2EPSS: 0%CPEs: 2EXPL: 0CVE-2021-36784 – Privilege escalation for users with create/update permissions in Global Roles
https://notcve.org/view.php?id=CVE-2021-36784
02 May 2022 — A Improper Privilege Management vulnerability in SUSE Rancher allows users with the restricted-admin role to escalate to full admin. This issue affects: SUSE Rancher Rancher versions prior to 2.5.13; Rancher versions prior to 2.6.4. Una vulnerabilidad de Administración de Privilegios Inapropiada en SUSE Rancher permite a usuarios con el rol restricted-admin escalar a full admin. Este problema afecta a: SUSE Rancher versiones anteriores a 2.5.13; Rancher versiones anteriores a 2.6.4 • https://bugzilla.suse.com/show_bug.cgi?id=1193991 • CWE-269: Improper Privilege Management •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2021-36778 – Exposure of repository credentials to external third-party sources
https://notcve.org/view.php?id=CVE-2021-36778
02 May 2022 — A Incorrect Authorization vulnerability in SUSE Rancher allows administrators of third-party repositories to gather credentials that are sent to their servers. This issue affects: SUSE Rancher Rancher versions prior to 2.5.12; Rancher versions prior to 2.6.3. Una vulnerabilidad de autorización incorrecta en SUSE Rancher permite a los administradores de repositorios de terceros recopilar credenciales que se envían a sus servidores. Este problema afecta a: Las versiones de SUSE Rancher anteriores a la 2.5.12;... • https://bugzilla.suse.com/show_bug.cgi?id=1191466 • CWE-863: Incorrect Authorization •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-21947 – rancher desktop: Dashboard API is network accessible
https://notcve.org/view.php?id=CVE-2022-21947
01 Apr 2022 — A Exposure of Resource to Wrong Sphere vulnerability in Rancher Desktop of SUSE allows attackers in the local network to connect to the Dashboard API (steve) to carry out arbitrary actions. This issue affects: SUSE Rancher Desktop versions prior to V. Una vulnerabilidad de control de acceso inapropiado en Rancher Desktop de SUSE permite a atacantes de la red local conectarse a la API de Dashboard (steve) para llevar a cabo acciones arbitrarias. Este problema afecta a: SUSE Rancher Desktop versiones anterior... • https://bugzilla.suse.com/show_bug.cgi?id=1197491 • CWE-668: Exposure of Resource to Wrong Sphere •
CVSS: 6.5EPSS: 0%CPEs: 6EXPL: 0CVE-2021-32001 – K3s/RKE2 bootstrap data is encrypted with empty string if user does not supply a token
https://notcve.org/view.php?id=CVE-2021-32001
28 Jul 2021 — K3s in SUSE Rancher allows any user with direct access to the datastore, or a copy of a datastore backup, to extract the cluster's confidential keying material (cluster certificate authority private keys, secrets encryption configuration passphrase, etc.) and decrypt it, without having to know the token value. This issue affects: SUSE Rancher K3s version v1.19.12+k3s1, v1.20.8+k3s1, v1.21.2+k3s1 and prior versions; RKE2 version v1.19.12+rke2r1, v1.20.8+rke2r1, v1.21.2+rke2r1 and prior versions. K3s en SUSE ... • https://bugzilla.suse.com/show_bug.cgi?id=1188453 • CWE-311: Missing Encryption of Sensitive Data •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2021-25313 – Rancher: XSS on /v3/cluster/
https://notcve.org/view.php?id=CVE-2021-25313
05 Mar 2021 — A Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rancher allows remote attackers to execute JavaScript via malicious links. This issue affects: SUSE Rancher Rancher versions prior to 2.5.6. Una vulnerabilidad de Neutralización Inapropiada de la Entrada Durante la Generación de Páginas Web ("Cross-site Scripting") en Rancher, permite a atacantes remotos ejecutar JavaScript por medio de enlaces maliciosos. Este problema afecta a: SUSE Rancher Rancher... • https://bugzilla.suse.com/show_bug.cgi?id=1181852 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2019-13209
https://notcve.org/view.php?id=CVE-2019-13209
04 Sep 2019 — Rancher 2 through 2.2.4 is vulnerable to a Cross-Site Websocket Hijacking attack that allows an exploiter to gain access to clusters managed by Rancher. The attack requires a victim to be logged into a Rancher server, and then to access a third-party site hosted by the exploiter. Once that is accomplished, the exploiter is able to execute commands against the cluster's Kubernetes API with the permissions and identity of the victim. Rancher versiones 2 hasta 2.2.4, es vulnerable a un ataque de tipo Cross-Sit... • https://forums.rancher.com/c/announcements • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 0CVE-2019-11202
https://notcve.org/view.php?id=CVE-2019-11202
30 Jul 2019 — An issue was discovered that affects the following versions of Rancher: v2.0.0 through v2.0.13, v2.1.0 through v2.1.8, and v2.2.0 through 2.2.1. When Rancher starts for the first time, it creates a default admin user with a well-known password. After initial setup, the Rancher administrator may choose to delete this default admin user. If Rancher is restarted, the default admin user will be recreated with the well-known default password. An attacker could exploit this by logging in with the default admin cr... • https://forums.rancher.com/c/announcements • CWE-287: Improper Authentication •