CVE-2019-13209

Опубликовано: 04 сент. 2019

Источник: nvd

CVSS3: 6.1

CVSS2: 4.3

EPSS Низкий

Описание

Rancher 2 through 2.2.4 is vulnerable to a Cross-Site Websocket Hijacking attack that allows an exploiter to gain access to clusters managed by Rancher. The attack requires a victim to be logged into a Rancher server, and then to access a third-party site hosted by the exploiter. Once that is accomplished, the exploiter is able to execute commands against the cluster's Kubernetes API with the permissions and identity of the victim.

Ссылки

https://forums.rancher.com/c/announcements
Release Notes
Vendor Advisory
https://forums.rancher.com/t/rancher-release-v2-2-5-addresses-rancher-cve-2019-13209/14801
Release Notes
Vendor Advisory
https://forums.rancher.com/c/announcements
Release Notes
Vendor Advisory
https://forums.rancher.com/t/rancher-release-v2-2-5-addresses-rancher-cve-2019-13209/14801
Release Notes
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:suse:rancher:*:*:*:*:*:*:*:*

Версия от 2.0.0 (включая) до 2.2.4 (включая)

EPSS

Процентиль: 46%

0.00236

Низкий

6.1 Medium

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-79

Связанные уязвимости

GHSA-xhg2-rvm8-w2jh

CVSS3: 8.7

github

больше 4 лет назад

Rancher Vulnerable to Cross-site Request Forgery (CSRF)