CVE-2019-11881

Source
https://nvd.nist.gov/vuln/detail/CVE-2019-11881
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-11881.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2019-11881
Aliases
Published
2019-06-10T20:29:01Z
Modified
2025-01-15T01:37:37.810796Z
Severity
  • 4.7 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N CVSS Calculator
Summary
[none]
Details

A vulnerability exists in Rancher before 2.2.4 in the login component, where the errorMsg parameter can be tampered to display arbitrary content, filtering tags but not special characters or symbols. There's no other limitation of the message, allowing malicious users to lure legitimate users to visit phishing sites with scare tactics, e.g., displaying a "This version of Rancher is outdated, please visit https://malicious.rancher.site/upgrading" message.

References

Affected packages

Git / github.com/rancher/rancher

Affected ranges

Type
GIT
Repo
https://github.com/rancher/rancher
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed

Affected versions

v2.*

v2.0.0
v2.0.0-alpha11
v2.0.0-alpha12
v2.0.0-alpha14
v2.0.0-alpha17
v2.0.0-alpha18
v2.0.0-alpha19
v2.0.0-alpha20
v2.0.0-alpha21
v2.0.0-alpha22
v2.0.0-alpha23
v2.0.0-alpha24
v2.0.0-alpha25
v2.0.0-alpha26
v2.0.0-alpha27
v2.0.0-alpha28
v2.0.0-beta1
v2.0.0-beta2
v2.0.0-beta3
v2.0.0-beta3-rc1
v2.0.0-beta4
v2.0.0-beta4-rc1
v2.0.0-beta4-rc2
v2.0.0-beta4-rc3
v2.0.0-beta4-rc4
v2.0.0-rc1
v2.0.0-rc2
v2.0.0-rc3
v2.0.0-rc4
v2.0.0-rc5
v2.0.1
v2.0.1-rc1
v2.0.1-rc2
v2.0.1-rc3
v2.0.1-rc4
v2.0.1-rc5
v2.0.1-rc6
v2.0.2
v2.0.2-rc1
v2.0.3
v2.0.3-rc1
v2.0.3-rc2
v2.0.3-rc3
v2.0.3-rc4
v2.0.3-rc5
v2.0.4
v2.0.4-rc1
v2.0.5
v2.0.5-rc1
v2.0.5-rc2
v2.0.5-rc3
v2.0.5-rc4
v2.0.5-rc5
v2.0.5-rc6
v2.0.6
v2.0.6-rc1
v2.0.6-rc2
v2.0.7
v2.0.7-rc1
v2.0.7-rc2
v2.0.7-rc3
v2.0.7-rc4
v2.0.7-rc5
v2.0.7-rc6
v2.0.8
v2.0.8-rc2
v2.0.8-rc3
v2.0.8-rc4
v2.0.8-rc5
v2.0.8-rc6
v2.1.0
v2.1.0-rc1
v2.1.0-rc10
v2.1.0-rc2
v2.1.0-rc3
v2.1.0-rc4
v2.1.0-rc5
v2.1.0-rc6
v2.1.0-rc7
v2.1.0-rc8
v2.1.0-rc9
v2.2.0
v2.2.0-rc1
v2.2.0-rc10
v2.2.0-rc11
v2.2.0-rc12
v2.2.0-rc13
v2.2.0-rc14
v2.2.0-rc15
v2.2.0-rc2
v2.2.0-rc3
v2.2.0-rc4
v2.2.0-rc5
v2.2.0-rc6
v2.2.0-rc7
v2.2.0-rc8
v2.2.0-rc9