CyberSec.Space Logo
Back to CVE Browser

CVE-2019-12274

HIGH
8.8
CVSS Severity Score
EPSS Score0.0440%
EPSS Percentile44.84th
PublishedJun 6, 2019
Last ModifiedNov 21, 2024

Vulnerability Description

In Rancher 1 and 2 through 2.2.3, unprivileged users (if allowed to deploy nodes) can gain admin access to the Rancher management plane because node driver options intentionally allow posting certain data to the cloud. The problem is that a user could choose to post a sensitive file such as /root/.kube/config or /var/lib/rancher/management-state/cred/kubeconfig-system.yaml.

Affected Platforms (CPE)

πŸ“¦
Suse

Rancher

>= 1.0.0 and <= 1.6.28
πŸ“¦
Suse

Rancher

>= 2.0.0 and <= 2.2.3

References & Advisories

πŸ”— https://forums.rancher.com/c/announcements
πŸ”— https://forums.rancher.com/t/rancher-release-v2-2-4-addresses-rancher-cve-2019-12274-and-cve-2019-12303/14466
πŸ”— https://forums.rancher.com/c/announcements
πŸ”— https://forums.rancher.com/t/rancher-release-v2-2-4-addresses-rancher-cve-2019-12274-and-cve-2019-12303/14466

Related Vulnerabilities

CVE-2021-367839.9

A Insufficiently Protected Credentials vulnerability in SUSE Rancher allows authenticated Cluster Owners, Cluster Members, Project...

CVE-2021-367829.9

A Cleartext Storage of Sensitive Information vulnerability in SUSE Rancher allows authenticated Cluster Owners, Cluster Members, P...

CVE-2021-253209.9

A Improper Access Control vulnerability in Rancher, allows users in the cluster to make request to cloud providers by creating req...

CVE-2019-112029.8

An issue was discovered that affects the following versions of Rancher: v2.0.0 through v2.0.13, v2.1.0 through v2.1.8, and v2.2.0 ...