CVE-2019-12274

In Rancher 1 and 2 through 2.2.3, unprivileged users (if allowed to deploy nodes) can gain admin access to the Rancher management plane because node driver options intentionally allow posting certain data to the cloud. The problem is that a user could choose to post a sensitive file such as /root/.kube/config or /var/lib/rancher/management-state/cred/kubeconfig-system.yaml.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:suse:rancher:*:*:*:*:*:*:*:*
cpe:2.3:a:suse:rancher:*:*:*:*:*:*:*:*

History

21 Nov 2024, 04:22

Type Values Removed Values Added
References () https://forums.rancher.com/c/announcements - Release Notes, Vendor Advisory () https://forums.rancher.com/c/announcements - Release Notes, Vendor Advisory
References () https://forums.rancher.com/t/rancher-release-v2-2-4-addresses-rancher-cve-2019-12274-and-cve-2019-12303/14466 - Release Notes, Vendor Advisory () https://forums.rancher.com/t/rancher-release-v2-2-4-addresses-rancher-cve-2019-12274-and-cve-2019-12303/14466 - Release Notes, Vendor Advisory

Information

Published : 2019-06-06 16:29

Updated : 2024-11-21 04:22


NVD link : CVE-2019-12274

Mitre link : CVE-2019-12274

CVE.ORG link : CVE-2019-12274


JSON object : View

Products Affected

suse

  • rancher
CWE
CWE-668

Exposure of Resource to Wrong Sphere

CWE-862

Missing Authorization