Do Not Allow Unused Users

If service-irrelevant users exist in the system, attackers may use them to launch attacks. Only users required by services are retained in the system. Other users used for installation, deployment, commissioning, verification, and fault locating must be deleted. By default, unused users do not...

Rancher does not Properly Validate Account Bindings in SAML Authentication Enables User Impersonation on First Login

Impact A vulnerability in Rancher has been discovered, leading to a local user impersonation through SAML Authentication on first login. The issue occurs when a SAML authentication provider AP is configured e.g. Keycloak. A newly created AP user can impersonate any user on Rancher by manipulating...

Rancher does not automatically clean up a user deleted or disabled from the configured Authentication Provider

Impact A vulnerability has been identified in which Rancher does not automatically clean up a user which has been deleted from the configured authentication provider AP. This characteristic also applies to disabled or revoked users, Rancher will not reflect these modifications which may leave the...

GHSA-9GHH-MMCQ-8PHC Rancher does not automatically clean up a user deleted or disabled from the configured Authentication Provider

Impact A vulnerability has been identified in which Rancher does not automatically clean up a user which has been deleted from the configured authentication provider AP. This characteristic also applies to disabled or revoked users, Rancher will not reflect these modifications which may leave the...

UPchieve: No rate Limit on Password Reset page on upchieve

Summary: Introduction A little bit about Rate Limit: A rate limiting algorithm is used to check if the user session or IP-address has to be limited based on the information in the session cache. In case a client made too many requests within a given timeframe, HTTP-Servers can respond with status...