GHSA-mq23-vvg7-xfm4

Source

https://github.com/advisories/GHSA-mq23-vvg7-xfm4

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/02/GHSA-mq23-vvg7-xfm4/GHSA-mq23-vvg7-xfm4.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-mq23-vvg7-xfm4

Aliases

Published

2025-02-27T18:27:56Z

Modified

2025-04-11T23:13:40Z

Severity

8.4 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L CVSS Calculator

Summary

Rancher does not Properly Validate Account Bindings in SAML Authentication Enables User Impersonation on First Login

Details

Impact

A vulnerability in Rancher has been discovered, leading to a local user impersonation through SAML Authentication on first login.

The issue occurs when a SAML authentication provider (AP) is configured (e.g. Keycloak). A newly created AP user can impersonate any user on Rancher by manipulating cookie values during their initial login to Rancher. This vulnerability could also be exploited if a Rancher user (present on the AP) is removed, either manually or automatically via the User Retention feature with delete-inactive-user-after.

More precisely, Rancher validates only a subset of input from the SAML assertion request; however, it trusts and uses values that are not properly validated. An attacker could then configure the samlRancherUserID cookie and the samlRancherAction cookie so that the user principal from the AP will be added to the user specified by the attacker (from samlRancherUserID). Rancher can then be deceived by setting samlRancherUserID to the admin's user ID and samlRancherAction to testAndEnable, thereby executing the vulnerable code path and leading to privilege escalation.

Note that the vulnerability impacts all SAML APs available in Rancher. However the following Rancher deployments are not affected: 1. Rancher deployments not using SAML-based AP. 2. Rancher deployments using SAML-based AP, where all SAML users are already signed in and linked to a Rancher account.

Please consult the associated MITRE ATT&CK - Technique - Access Token Manipulation: Token Impersonation/Theft for further information about this category of attack.

Patches

This vulnerability is addressed by adding the UserID claim to a JWT signed token, which is protected against tampering.

Patched versions include releases v2.8.13, v2.9.7 and v2.10.3.

Workarounds

Rancher deployments that can't upgrade, could temporarily disable the SAML-based AP as a temporary workaround. However, upgrading is recommended.

References

If you have any questions or comments about this advisory: - Reach out to the SUSE Rancher Security team for security related inquiries. - Open an issue in the Rancher repository. - Verify with our support matrix and product support lifecycle.

Database specific

{
    "nvd_published_at": "2025-04-11T11:15:42Z",
    "cwe_ids": [
        "CWE-284",
        "CWE-287"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2025-02-27T18:27:56Z"
}

References

Affected packages

Go / github.com/rancher/rancher

Package

Name: github.com/rancher/rancher; View open source insights on deps.dev
Purl: pkg:golang/github.com/rancher/rancher

Affected ranges

Type: SEMVER
Events: Introduced

2.8.0

Fixed

2.8.13

Go / github.com/rancher/rancher

Package

Name: github.com/rancher/rancher; View open source insights on deps.dev
Purl: pkg:golang/github.com/rancher/rancher

Affected ranges

Type: SEMVER
Events: Introduced

2.9.0

Fixed

2.9.7

Go / github.com/rancher/rancher

Package

Name: github.com/rancher/rancher; View open source insights on deps.dev
Purl: pkg:golang/github.com/rancher/rancher

Affected ranges

Type: SEMVER
Events: Introduced

2.10.0

Fixed

2.10.3