CVE-2019-13209

Rancher 2 through 2.2.4 is vulnerable to a Cross-Site Websocket Hijacking attack that allows an exploiter to gain access to clusters managed by Rancher. The attack requires a victim to be logged into a Rancher server, and then to access a third-party site hosted by the exploiter. Once that is accomplished, the exploiter is able to execute commands against the cluster's Kubernetes API with the permissions and identity of the victim.
Configurations

Configuration 1 (hide)

cpe:2.3:a:suse:rancher:*:*:*:*:*:*:*:*

History

21 Nov 2024, 04:24

Type Values Removed Values Added
References () https://forums.rancher.com/c/announcements - Release Notes, Vendor Advisory () https://forums.rancher.com/c/announcements - Release Notes, Vendor Advisory
References () https://forums.rancher.com/t/rancher-release-v2-2-5-addresses-rancher-cve-2019-13209/14801 - Release Notes, Vendor Advisory () https://forums.rancher.com/t/rancher-release-v2-2-5-addresses-rancher-cve-2019-13209/14801 - Release Notes, Vendor Advisory

Information

Published : 2019-09-04 14:15

Updated : 2024-11-21 04:24


NVD link : CVE-2019-13209

Mitre link : CVE-2019-13209

CVE.ORG link : CVE-2019-13209


JSON object : View

Products Affected

suse

  • rancher
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')