A user can reverse engineer the JWT token (JSON Web Token) used in authentication for Manager and API access, forging a valid NeuVector Token to perform malicious activity in NeuVector. This can lead to an RCE.
References
Configurations
Configuration 1 (hide)
|
History
21 Nov 2024, 07:45
Type | Values Removed | Values Added |
---|---|---|
References |
|
15 Oct 2024, 14:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
Summary | (en) A user can reverse engineer the JWT token (JSON Web Token) used in authentication for Manager and API access, forging a valid NeuVector Token to perform malicious activity in NeuVector. This can lead to an RCE. | |
CWE | CWE-1270 |
15 Oct 2024, 12:15
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-287 | |
Summary | (en) A vulnerability has been identified in which Rancher does not automatically clean up a user which has been deleted from the configured authentication provider (AP). This characteristic also applies to disabled or revoked users, Rancher will not reflect these modifications which may leave the user’s tokens still usable. | |
References |
|
|
15 Oct 2024, 11:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
Summary | (en) A vulnerability has been identified which may lead to sensitive data being leaked into Rancher's audit logs. [Rancher Audit Logging](https://ranchermanager.docs.rancher.com/how-to-guides/advanced-user-guides/enable-api-audit-log) is an opt-in feature, only deployments that have it enabled and have [AUDIT_LEVEL](https://ranchermanager.docs.rancher.com/how-to-guides/advanced-user-guides/enable-api-audit-log#audit-log-levels) set to `1 or above` are impacted by this issue. |
25 Sep 2023, 16:28
Type | Values Removed | Values Added |
---|---|---|
References | (MISC) https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-22644 - Issue Tracking | |
First Time |
Suse
Suse manager Server |
|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 5.5 |
CPE | cpe:2.3:a:suse:manager_server:*:*:*:*:*:*:*:* |
20 Sep 2023, 09:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-09-20 09:15
Updated : 2024-11-21 07:45
NVD link : CVE-2023-22644
Mitre link : CVE-2023-22644
CVE.ORG link : CVE-2023-22644
JSON object : View
Products Affected
suse
- manager_server
CWE
CWE-1270
Generation of Incorrect Security Tokens