Vulnerability Details : CVE-2019-13209
Rancher 2 through 2.2.4 is vulnerable to a Cross-Site Websocket Hijacking attack that allows an exploiter to gain access to clusters managed by Rancher. The attack requires a victim to be logged into a Rancher server, and then to access a third-party site hosted by the exploiter. Once that is accomplished, the exploiter is able to execute commands against the cluster's Kubernetes API with the permissions and identity of the victim.
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2019-13209
- cpe:2.3:a:suse:rancher:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-13209
0.28%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 51 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-13209
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:N |
8.6
|
2.9
|
NIST | |
|
6.1
|
MEDIUM | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
2.8
|
2.7
|
NIST |
CWE ids for CVE-2019-13209
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-13209
-
https://forums.rancher.com/c/announcements
Latest Announcements topics - Rancher LabsRelease Notes;Vendor Advisory
-
https://forums.rancher.com/t/rancher-release-v2-2-5-addresses-rancher-cve-2019-13209/14801
Rancher Release - v2.2.5 - Addresses Rancher CVE-2019-13209 - Announcements - Rancher LabsRelease Notes;Vendor Advisory
Jump to