A vulnerability has been identified within Rancher UI that allows a malicious actor to perform a Stored XSS attack through the cluster description field.
Please consult the associated MITRE ATT&CK - Technique - Drive-by Compromise for further information about this category of attack.
The fix introduces new changes in the directives responsible for sanitizing HTML code before rendering.
We replaced the v-tooltip directive with the v-clean-tooltip directive.
Patched versions include releases 2.9.4 and 2.10.0.
There are no workarounds for this issue. Users are recommended to upgrade, as soon as possible, to a version of /Rancher Manager which contains the fixes.
This issue was identified and reported by Bhavin Makwana from Workday’s Cyber Defence Team.
If you have any questions or comments about this advisory:
- Reach out to the SUSE Rancher Security team for security related inquiries.
- Open an issue in the Rancher repository.
- Verify with our support matrix and product support lifecycle.
| Score | Percentile |
|---|---|
| 0.01% | 1.70% |
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 8.9 | 3.1 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-2v2w-8v8c-wcm9 ↗ |
| CVE | CVE-2024-52281 ↗ |
| CWE id | Name |
|---|---|
| CWE-79 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| go | github.com/rancher/rancher | >= 2.9.0, < 2.9.4 | 2.9.4 | — |