| id: GO-2022-0755 |
| modules: |
| - module: github.com/rancher/rancher |
| versions: |
| - fixed: 2.2.5-rc6.0.20190621200032-0ddffe484adc+incompatible |
| vulnerable_at: 2.2.5-rc6.0.20190621195844-88e9e38dc862+incompatible |
| packages: |
| - package: github.com/rancher/rancher/server |
| symbols: |
| - Start |
| skip_fix: 'TODO: revisit this reason (multiple cannot find module providing package errors)' |
| - package: github.com/rancher/rancher/pkg/clusterrouter |
| symbols: |
| - Router.ServeHTTP |
| skip_fix: 'TODO: revisit this reason (multiple cannot find module providing package errors)' |
| summary: Cross-site request forgery in github.com/rancher/rancher |
| description: |- |
| Rancher 2 is vulnerable to a Cross-Site Websocket Hijacking attack that allows |
| an exploiter to gain access to clusters managed by Rancher. |
| published: 2021-05-18T15:42:40Z |
| cves: |
| - CVE-2019-13209 |
| ghsas: |
| - GHSA-xhg2-rvm8-w2jh |
| credits: |
| - Matt Belisle |
| - Alex Stevenson at Workiva |
| references: |
| - advisory: https://github.com/advisories/GHSA-xhg2-rvm8-w2jh |
| - fix: https://github.com/rancher/rancher/commit/0ddffe484adccb9e37d9432e8e625d8ebbfb0088 |
| - web: https://forums.rancher.com/t/rancher-release-v2-2-5-addresses-rancher-cve-2019-13209/14801 |
