data/reports/GO-2022-0755.yaml

modules:
  - module: github.com/rancher/rancher
    versions:
      - fixed: 2.2.5-rc6.0.20190621200032-0ddffe484adc+incompatible
    vulnerable_at: 2.2.5-rc6.0.20190621195844-88e9e38dc862+incompatible
    packages:
      - package: github.com/rancher/rancher/server
        symbols:
          - Start
        skip_fix: 'TODO: revisit this reason (multiple cannot find module providing
            package errors)'
      - package: github.com/rancher/rancher/pkg/clusterrouter
        symbols:
          - Router.ServeHTTP
        skip_fix: 'TODO: revisit this reason (multiple cannot find module providing
            package errors)'
description: |
    Rancher 2 is vulnerable to a Cross-Site Websocket Hijacking
    attack that allows an exploiter to gain access to clusters managed by
    Rancher.
published: 2021-05-18T15:42:40Z
cves:
  - CVE-2019-13209
ghsas:
  - GHSA-xhg2-rvm8-w2jh
credit: Matt Belisle and Alex Stevenson at Workiva
references:
  - advisory: https://github.com/advisories/GHSA-xhg2-rvm8-w2jh
  - fix: https://github.com/rancher/rancher/commit/0ddffe484adccb9e37d9432e8e625d8ebbfb0088
  - web: https://forums.rancher.com/t/rancher-release-v2-2-5-addresses-rancher-cve-2019-13209/14801