CVE-2019-12274
Last modified
CVE-2019-12274 is a vulnerability of currently unknown severity. In Rancher 1 and 2 through 2.2.3, unprivileged users (if allowed to deploy nodes) can gain admin access to the Rancher management plane because node driver options intentionally allow posting certain data to the cloud. The problem is that a user could choose to post a sensitive file such as /root/.kube/config or /var/lib/rancher/management-state/cred/kubeconfig-system.yaml.. EPSS estimates a 1.14% chance of exploitation in the next 30 days.
Description
In Rancher 1 and 2 through 2.2.3, unprivileged users (if allowed to deploy nodes) can gain admin access to the Rancher management plane because node driver options intentionally allow posting certain data to the cloud. The problem is that a user could choose to post a sensitive file such as /root/.kube/config or /var/lib/rancher/management-state/cred/kubeconfig-system.yaml.
Metrics
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Suse | Rancher | >= 1.0.0, <= 1.6.28 |
| Suse | Rancher | >= 2.0.0, <= 2.2.3 |
References
- https://forums.rancher.com/c/announcementsRelease Notes, Vendor Advisory
- https://forums.rancher.com/t/rancher-release-v2-2-4-addresses-rancher-cve-2019-12274-and-cve-2019-12303/14466Release Notes, Vendor Advisory
- https://forums.rancher.com/c/announcementsRelease Notes, Vendor Advisory
- https://forums.rancher.com/t/rancher-release-v2-2-4-addresses-rancher-cve-2019-12274-and-cve-2019-12303/14466Release Notes, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2019-12274?
How severe is CVE-2019-12274?
How do I fix CVE-2019-12274?
Are you affected by CVE-2019-12274?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST