blob: 8f79b726e9dfe0852c35f885f94315d77ccaba7b [file] [log] [blame]
id: GO-2022-0755
modules:
- module: github.com/rancher/rancher
versions:
- fixed: 2.2.5-rc6.0.20190621200032-0ddffe484adc+incompatible
vulnerable_at: 2.2.5-rc6.0.20190621195844-88e9e38dc862+incompatible
packages:
- package: github.com/rancher/rancher/server
symbols:
- Start
skip_fix: 'TODO: revisit this reason (multiple cannot find module providing package errors)'
- package: github.com/rancher/rancher/pkg/clusterrouter
symbols:
- Router.ServeHTTP
skip_fix: 'TODO: revisit this reason (multiple cannot find module providing package errors)'
summary: Cross-site request forgery in github.com/rancher/rancher
description: |-
Rancher 2 is vulnerable to a Cross-Site Websocket Hijacking attack that allows
an exploiter to gain access to clusters managed by Rancher.
published: 2021-05-18T15:42:40Z
cves:
- CVE-2019-13209
ghsas:
- GHSA-xhg2-rvm8-w2jh
credits:
- Matt Belisle
- Alex Stevenson at Workiva
references:
- advisory: https://github.com/advisories/GHSA-xhg2-rvm8-w2jh
- fix: https://github.com/rancher/rancher/commit/0ddffe484adccb9e37d9432e8e625d8ebbfb0088
- web: https://forums.rancher.com/t/rancher-release-v2-2-5-addresses-rancher-cve-2019-13209/14801
review_status: REVIEWED