data/reports/GO-2022-0755.yaml - vulndb - Git at Google

 modules:
   - module: github.com/rancher/rancher
     versions:
       - fixed: 2.2.5-rc6.0.20190621200032-0ddffe484adc+incompatible
     vulnerable_at: 2.2.5-rc6.0.20190621195844-88e9e38dc862+incompatible
     packages:
       - package: github.com/rancher/rancher/server
         symbols:
           - Start
       - package: github.com/rancher/rancher/pkg/clusterrouter
         symbols:
           - Router.ServeHTTP
 description: |
     Rancher 2 is vulnerable to a Cross-Site Websocket Hijacking
     attack that allows an exploiter to gain access to clusters managed by
     Rancher.
 published: 2021-05-18T15:42:40Z
 cves:
   - CVE-2019-13209
 ghsas:
   - GHSA-xhg2-rvm8-w2jh
 credit: Matt Belisle and Alex Stevenson at Workiva
 references:
   - advisory: https://github.com/advisories/GHSA-xhg2-rvm8-w2jh
   - fix: https://github.com/rancher/rancher/commit/0ddffe484adccb9e37d9432e8e625d8ebbfb0088
   - web: https://forums.rancher.com/t/rancher-release-v2-2-5-addresses-rancher-cve-2019-13209/14801
	modules:
	- module: github.com/rancher/rancher
	versions:
	- fixed: 2.2.5-rc6.0.20190621200032-0ddffe484adc+incompatible
	vulnerable_at: 2.2.5-rc6.0.20190621195844-88e9e38dc862+incompatible
	packages:
	- package: github.com/rancher/rancher/server
	symbols:
	- Start
	- package: github.com/rancher/rancher/pkg/clusterrouter
	symbols:
	- Router.ServeHTTP
	description: \|
	Rancher 2 is vulnerable to a Cross-Site Websocket Hijacking
	attack that allows an exploiter to gain access to clusters managed by
	Rancher.
	published: 2021-05-18T15:42:40Z
	cves:
	- CVE-2019-13209
	ghsas:
	- GHSA-xhg2-rvm8-w2jh
	credit: Matt Belisle and Alex Stevenson at Workiva
	references:
	- advisory: https://github.com/advisories/GHSA-xhg2-rvm8-w2jh
	- fix: https://github.com/rancher/rancher/commit/0ddffe484adccb9e37d9432e8e625d8ebbfb0088
	- web: https://forums.rancher.com/t/rancher-release-v2-2-5-addresses-rancher-cve-2019-13209/14801