CVE-2019-12274

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2019-12274
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-12274.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2019-12274
Aliases
Published
2019-06-06T16:29:01Z
Modified
2025-01-14T07:29:14.236115Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

In Rancher 1 and 2 through 2.2.3, unprivileged users (if allowed to deploy nodes) can gain admin access to the Rancher management plane because node driver options intentionally allow posting certain data to the cloud. The problem is that a user could choose to post a sensitive file such as /root/.kube/config or /var/lib/rancher/management-state/cred/kubeconfig-system.yaml.

References

Affected packages

Git / github.com/rancher/rancher

Affected ranges

Type
GIT
Repo
https://github.com/rancher/rancher
Events
Introduced
14c6b3e8f903814c1bb9364187fb8193e33e7a82
Last affected
b1896822e58bb42a513b664aca88ed410a5a7add

Affected versions

v2.*

v2.0.0
v2.0.0-rc5
v2.0.1
v2.0.1-rc1
v2.0.1-rc2
v2.0.1-rc3
v2.0.1-rc4
v2.0.1-rc5
v2.0.1-rc6
v2.0.2
v2.0.2-rc1
v2.0.3
v2.0.3-rc1
v2.0.3-rc2
v2.0.3-rc3
v2.0.3-rc4
v2.0.3-rc5
v2.0.4
v2.0.4-rc1
v2.0.5
v2.0.5-rc1
v2.0.5-rc2
v2.0.5-rc3
v2.0.5-rc4
v2.0.5-rc5
v2.0.5-rc6
v2.0.6
v2.0.6-rc1
v2.0.6-rc2
v2.0.7
v2.0.7-rc1
v2.0.7-rc2
v2.0.7-rc3
v2.0.7-rc4
v2.0.7-rc5
v2.0.7-rc6
v2.0.8
v2.0.8-rc2
v2.0.8-rc3
v2.0.8-rc4
v2.0.8-rc5
v2.0.8-rc6
v2.1.0
v2.1.0-rc1
v2.1.0-rc10
v2.1.0-rc2
v2.1.0-rc3
v2.1.0-rc4
v2.1.0-rc5
v2.1.0-rc6
v2.1.0-rc7
v2.1.0-rc8
v2.1.0-rc9
v2.2.0
v2.2.0-rc1
v2.2.0-rc10
v2.2.0-rc11
v2.2.0-rc12
v2.2.0-rc13
v2.2.0-rc14
v2.2.0-rc15
v2.2.0-rc2
v2.2.0-rc3
v2.2.0-rc4
v2.2.0-rc5
v2.2.0-rc6
v2.2.0-rc7
v2.2.0-rc8
v2.2.0-rc9
v2.2.1
v2.2.1-rc1
v2.2.2
v2.2.2-patch1-rc1
v2.2.2-patch1-rc2
v2.2.2-rc1
v2.2.2-rc10
v2.2.2-rc11
v2.2.2-rc12
v2.2.2-rc13
v2.2.2-rc14
v2.2.2-rc2
v2.2.2-rc3
v2.2.2-rc4
v2.2.2-rc5
v2.2.2-rc6
v2.2.2-rc7
v2.2.2-rc8
v2.2.2-rc9
v2.2.3