CVE-2019-12274

Опубликовано: 06 июн. 2019

Источник: nvd

CVSS3: 8.8

CVSS2: 4

EPSS Низкий

Описание

In Rancher 1 and 2 through 2.2.3, unprivileged users (if allowed to deploy nodes) can gain admin access to the Rancher management plane because node driver options intentionally allow posting certain data to the cloud. The problem is that a user could choose to post a sensitive file such as /root/.kube/config or /var/lib/rancher/management-state/cred/kubeconfig-system.yaml.

Ссылки

https://forums.rancher.com/c/announcements
Release Notes
Vendor Advisory
https://forums.rancher.com/t/rancher-release-v2-2-4-addresses-rancher-cve-2019-12274-and-cve-2019-12303/14466
Release Notes
Vendor Advisory
https://forums.rancher.com/c/announcements
Release Notes
Vendor Advisory
https://forums.rancher.com/t/rancher-release-v2-2-4-addresses-rancher-cve-2019-12274-and-cve-2019-12303/14466
Release Notes
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:suse:rancher:*:*:*:*:*:*:*:*

Версия от 1.0.0 (включая) до 1.6.28 (включая)

cpe:2.3:a:suse:rancher:*:*:*:*:*:*:*:*

Версия от 2.0.0 (включая) до 2.2.3 (включая)

EPSS

Процентиль: 41%

0.00191

Низкий

8.8 High

CVSS3

4 Medium

CVSS2

Дефекты

CWE-668

Связанные уязвимости

GHSA-gc62-j469-9gjm