GO-2024-3161 Rancher agents can be hijacked by taking over the Rancher Server URL in github.com/rancher/rancher

Rancher agents can be hijacked by taking over the Rancher Server URL in github.com/rancher/rancher. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports from...

GO-2023-1973 Rancher Access Control Vulnerability in github.com/rancher/rancher

Rancher Access Control Vulnerability in github.com/rancher/rancher...

GO-2024-2771 Rancher's Steve API Component Improper authorization check allows privilege escalation in github.com/rancher/rancher

Rancher's Steve API Component Improper authorization check allows privilege escalation in github.com/rancher/rancher. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive...

Cross-site Scripting (XSS)

github.com/rancher/rancher is vulnerable to Cross-site Scripting XSS. The vulnerability exists in the Projects/Namespaces and Auth Provider sections, which allows an attacker with write access to inject and execute malicious code and steal sensitive information, manipulate web content, or perform...

Improper Privilege Management

github.com/rancher/rancher is vulnerable to Improper Privilege Management. The vulnerability exists because the library allowed standard users or above to elevate their permissions to Administrator in the local cluster, which can lead to manipulating Kubernetes secrets or gaining access to tokens...

Command Injection

github.com/rancher/rancher is vulnerable to Command Injection. The vulnerability exists because git.go doesn't properly validate user input, allowing an attacker to inject and execute maliciously crafted commands through the rancher host...