Описание
Rancher UI has Stored Cross-site Scripting vulnerability
Impact
A vulnerability has been identified within Rancher UI that allows a malicious actor to perform a Stored XSS attack through the cluster description field.
Please consult the associated MITRE ATT&CK - Technique - Drive-by Compromise for further information about this category of attack.
Patches
The fix introduces new changes in the directives responsible for sanitizing HTML code before rendering.
We replaced the v-tooltip directive with the v-clean-tooltip directive.
Patched versions include releases 2.9.4 and 2.10.0.
Workarounds
There are no workarounds for this issue. Users are recommended to upgrade, as soon as possible, to a version of /Rancher Manager which contains the fixes.
Credits
This issue was identified and reported by Bhavin Makwana from Workday’s Cyber Defence Team.
For more information
If you have any questions or comments about this advisory:
- Reach out to the SUSE Rancher Security team for security related inquiries.
- Open an issue in the Rancher repository.
- Verify with our support matrix and product support lifecycle.
Пакеты
github.com/rancher/rancher
>= 2.9.0, < 2.9.4
2.9.4
Связанные уязвимости
A: Improper Neutralization of Input During Web Page Generation vulnerability in SUSE rancher allows a malicious actor to perform a Stored XSS attack through the cluster description field. This issue affects rancher: from 2.9.0 before 2.9.4.
Уязвимость пользовательского интерфейса программного обеспечения управления кластерами Kubernets Rancher, позволяющая нарушителю провести атаку межсайтового скриптинга (XSS)
