pkg:Go/github.com/rancher/rancher

All known vulnerabilities

• CRITICAL9.9CVE-2021-25320Rancher cloud credentials can be used through proxy API by users without access in github.com/rancher/rancher
  >= 2.2.0, < 2.4.16
• CRITICAL9.9CVE-2021-25320Rancher cloud credentials can be used through proxy API by users without access in github.com/rancher/rancher
  >= 2.2.0+incompatible
• CRITICAL9.9CVE-2021-36783Rancher doesn't properly sanitize credentials in cluster template answers
  >= 2.5.0, < 2.5.13
• CRITICAL9.9Rancher vulnerable to Privilege Escalation via manipulation of Secrets
  >= 2.6.0, < 2.6.13
• CRITICAL9.9Rancher Webhook is misconfigured during upgrade process
  >= 2.7.2, < 2.7.3
• CRITICAL9.9Rancher API and cluster.management.cattle.io object vulnerable to plaintext storage and exposure of credentials
  >= 2.5.0, < 2.5.16
• CRITICAL9.8Rancher Recreates Default User With Known Password Despite Deletion in github.com/rancher/rancher
  >= 2.0.0+incompatible, < 2.2.2+incompatible
• CRITICAL9.8Rancher Recreates Default User With Known Password Despite Deletion in github.com/rancher/rancher
  >= 2.0.0, <= 2.0.13
• CRITICAL9.1Rancher has downstream cluster privilege escalation through cluster and project role template binding (CRTB/PRTB)
  >= 2.5.0, < 2.5.16
• CRITICAL9.1Rancher: Restricted Administrator can change Administrator's passwords in github.com/rancher/rancher
  from 0
• CRITICAL9.1Rancher: Restricted Administrator can change Administrator's passwords in github.com/rancher/rancher
  >= 2.8.0, < 2.8.14
• CRITICAL9.1Rancher Remote Code Execution via Cluster/Node Drivers in github.com/rancher/rancher
  from 0
• CRITICAL9.1Rancher Remote Code Execution via Cluster/Node Drivers in github.com/rancher/rancher
  >= 2.7.0, < 2.7.16
• CRITICAL9.1Exposure of vSphere's CPI and CSI credentials in Rancher in github.com/rancher/rancher
  >= 2.9.0, < 2.9.3
• CRITICAL9.1Exposure of vSphere's CPI and CSI credentials in Rancher in github.com/rancher/rancher
  from 0
• HIGH8.9Rancher UI has Stored Cross-site Scripting vulnerability in github.com/rancher/rancher
  >= 2.9.0, < 2.9.4
• HIGH8.9Rancher UI has Stored Cross-site Scripting vulnerability in github.com/rancher/rancher
  from 0
• HIGH8.8Rancher does not automatically clean up a user deleted or disabled from the configured Authentication Provider in github.com/rancher/rancher
  >= 2.7.0, < 2.7.14
• HIGH8.8Rancher does not automatically clean up a user deleted or disabled from the configured Authentication Provider in github.com/rancher/rancher
  from 0
• HIGH8.8Rancher does not properly specify ApiGroup when creating Kubernetes RBAC resources in github.com/rancher/rancher
  >= 2.0.0, < 2.4.16
• HIGH8.8Rancher does not properly specify ApiGroup when creating Kubernetes RBAC resources in github.com/rancher/rancher
  >= 2.0.0+incompatible
• HIGH8.8Rancher Privilege escalation vulnerability via malicious "Connection" header in github.com/rancher/rancher
  >= 2.0.0+incompatible
• HIGH8.8Rancher Privilege escalation vulnerability via malicious "Connection" header in github.com/rancher/rancher
  >= 2.0.0, < 2.4.16
• HIGH8.8Rancher's Steve API Component Improper authorization check allows privilege escalation in github.com/rancher/rancher
  from 0
• HIGH8.8Rancher's Steve API Component Improper authorization check allows privilege escalation in github.com/rancher/rancher
  >= 2.5.0, < 2.5.10
• HIGH8.8Rancher users retain access after moving namespaces into projects they don't have access to
  >= 2.6.0, < 2.6.13
• HIGH8.8Plaintext storage of sensitive data in Rancher API and cluster.management.cattle.io objects
  >= 2.5.0, < 2.5.17
• HIGH8.8Rancher code injection via fluentd config commands in github.com/rancher/rancher
  >= 2.0.0+incompatible, < 2.2.4+incompatible
• HIGH8.8Rancher code injection via fluentd config commands in github.com/rancher/rancher
  >= 2.0.0, < 2.2.4
• HIGH8.8Rancher Privilege Escalation Vulnerability in github.com/rancher/rancher
  >= 2.0.0, < 2.2.4
• HIGH8.8Rancher Privilege Escalation Vulnerability in github.com/rancher/rancher
  from 0, < 1.6.27, >= 2.0.0+incompatible, < 2.2.4+incompatible
• HIGH8.8Rancher Access Control Vulnerability in github.com/rancher/rancher
  >= 1.5.0, < 1.5.3
• HIGH8.8Rancher Access Control Vulnerability in github.com/rancher/rancher
  >= 1.2.0, < 1.2.4, >= 1.3.0, < 1.3.5, >= 1.4.0, < 1.4.3, >= 1.5.0, < 1.5.3
• HIGH8.7Cross-site request forgery in github.com/rancher/rancher
  >= 2.0.0, < 2.0.16
• HIGH8.7Cross-site request forgery in github.com/rancher/rancher
  from 0, < 2.2.5-rc6.0.20190621200032-0ddffe484adc+incompatible
• HIGH8.5Rancher users who can create Projects can gain access to arbitrary projects in github.com/rancher/rancher
  >= 2.8.0, < 2.9.9
• HIGH8.5Rancher users who can create Projects can gain access to arbitrary projects in github.com/rancher/rancher
  from 0
• HIGH8.4Rancher Extensions have arbitrary file access via path traversal
  >= 2.14.0, < 2.14.1
• HIGH8.4Rancher does not Properly Validate Account Bindings in SAML Authentication Enables User Impersonation on First Login in github.com/rancher/rancher
  from 0
• HIGH8.4Rancher does not Properly Validate Account Bindings in SAML Authentication Enables User Impersonation on First Login in github.com/rancher/rancher
  >= 2.8.0, < 2.8.13
• HIGH8.4Rancher UI has multiple Cross-Site Scripting (XSS) issues
  >= 2.6.0, < 2.6.13
• HIGH8.3Rancher CLI skips TLS verification on Rancher CLI login command in github.com/rancher/rancher
  from 0, < 0.0.0-20260129092249-bb0625fd1896
• HIGH8.3Rancher CLI skips TLS verification on Rancher CLI login command in github.com/rancher/rancher
  from 0
• HIGH8.3Exposure of repository credentials to external third-party sources in Rancher
  >= 2.6.0, < 2.6.3
• HIGH8.2Rancher affected by unauthenticated Denial of Service in github.com/rancher/rancher
  >= 2.12.0, < 2.12.1
• HIGH8.2Rancher affected by unauthenticated Denial of Service in github.com/rancher/rancher
  from 0, < 0.0.0-20250813072957-aee95d4e2a41
• HIGH8.2Rancher allows an unauthenticated stack overflow in /v3-public/authproviders API in github.com/rancher/rancher
  >= 2.8.0, < 2.8.13
• HIGH8.2Rancher allows an unauthenticated stack overflow in /v3-public/authproviders API in github.com/rancher/rancher
  from 0
• HIGH8.1Rancher Project Members Have Continued Access to Namespaces After Being Removed From Them in github.com/rancher/rancher
  >= 2.0.0+incompatible, < 2.1.6+incompatible
• HIGH8.1Rancher Project Members Have Continued Access to Namespaces After Being Removed From Them in github.com/rancher/rancher
  >= 2.0.0, < 2.1.6
• HIGH8.1Write access to the catalog for any user when restricted-admin role is enabled in Rancher
  >= 2.6.0, < 2.6.4
• HIGH8.0Rancher's Azure AD permission changes are not reflected on active sessions
  >= 2.6.7, < 2.6.13
• HIGH8.0Rancher CLI SAML authentication is vulnerable to phishing attacks in github.com/rancher/rancher
  >= 2.12.0, < 2.12.2
• HIGH8.0Rancher CLI SAML authentication is vulnerable to phishing attacks in github.com/rancher/rancher
  from 0
• HIGH8.0Rancher agents can be hijacked by taking over the Rancher Server URL in github.com/rancher/rancher
  >= 2.7.0, < 2.7.15
• HIGH8.0Rancher agents can be hijacked by taking over the Rancher Server URL in github.com/rancher/rancher
  from 0
• HIGH8.0Rancher's Failure to delete orphaned role bindings does not revoke project level access from group based authentication in github.com/rancher/rancher
  from 0, < 2.4.18
• HIGH8.0Rancher's Failure to delete orphaned role bindings does not revoke project level access from group based authentication in github.com/rancher/rancher
  from 0
• HIGH7.7Rancher 'Audit Log' leaks sensitive information in github.com/rancher/rancher
  from 0
• HIGH7.7Rancher 'Audit Log' leaks sensitive information in github.com/rancher/rancher
  >= 2.6.0, < 2.6.14
• HIGH7.6Rancher update on users can deny the service to the admin in github.com/rancher/rancher
  from 0
• HIGH7.6Rancher update on users can deny the service to the admin in github.com/rancher/rancher
  >= 2.12.0, < 2.12.2
• HIGH7.4Authenticated user can gain unauthorized shell pod and kubectl access in the local cluster
  >= 2.5.0, < 2.5.17
• HIGH7.2Rancher permissions on 'namespaces' in any API group grants 'edit' permissions on namespaces in 'core' in github.com/rancher/rancher
  from 0
• HIGH7.2Rancher permissions on 'namespaces' in any API group grants 'edit' permissions on namespaces in 'core' in github.com/rancher/rancher
  >= 2.6.0, < 2.6.14
• HIGH7.2Privilege escalation in project role template binding (PRTB) and -promoted roles
  >= 2.5.0, < 2.5.17
• HIGH7.1Rancher cattle-token is predictable
  >= 2.6.0, < 2.6.10
• MEDIUM6.8Rancher's weave CNI password is not configured when a cluster is created from an RKE template
  >= 2.6.0, < 2.6.5
• MEDIUM6.8Command injection in Rancher Git package
  >= 2.5.0, < 2.5.17
• MEDIUM6.6Rancher allows privilege escalation in Windows nodes due to Insecure Access Control Lists in github.com/rancher/rancher
  from 0
• MEDIUM6.6Rancher allows privilege escalation in Windows nodes due to Insecure Access Control Lists in github.com/rancher/rancher
  >= 2.7.0, < 2.8.9
• MEDIUM6.6Rancher allows privilege escalation in Windows nodes due to Insecure Access Control Lists in github.com/rancher/rancher
  >= 2.7.0, < 2.7.14
• MEDIUM6.6Rancher allows privilege escalation in Windows nodes due to Insecure Access Control Lists in github.com/rancher/rancher
  from 0
• MEDIUM6.5Rancher's RKE1 Encryption Config kept in plain-text within cluster AppliedSpec in github.com/rancher/rancher
  >= 2.7.0, < 2.7.14
• MEDIUM6.5Rancher's RKE1 Encryption Config kept in plain-text within cluster AppliedSpec in github.com/rancher/rancher
  from 0
• MEDIUM6.5Privilege escalation for users with create/update permissions in Global Roles in Rancher
  >= 2.6.0, < 2.6.4
• MEDIUM6.2Rancher Helm Applications may have sensitive values leaked in github.com/rancher/rancher
  >= 2.8.0, < 2.8.10
• MEDIUM6.2Rancher Helm Applications may have sensitive values leaked in github.com/rancher/rancher
  from 0
• MEDIUM6.1Rancher Cross-site Scripting Vulnerability
  >= 2.5.0, < 2.5.6
• MEDIUM5.3Rancher's SAML-based login via CLI can be denied by unauthenticated users in github.com/rancher/rancher
  >= 2.8.0, < 2.8.13
• MEDIUM5.3Rancher's SAML-based login via CLI can be denied by unauthenticated users in github.com/rancher/rancher
  from 0
• MEDIUM4.7Rancher sends sensitive information to external services through the `/meta/proxy` endpoint in github.com/rancher/rancher
  from 0
• MEDIUM4.7Rancher sends sensitive information to external services through the `/meta/proxy` endpoint in github.com/rancher/rancher
  >= 2.12.0, < 2.12.2
• MEDIUM4.7Rancher Login Parameter Can Be Edited in github.com/rancher/rancher
  from 0, <= 2.1.4
• MEDIUM4.7Rancher Login Parameter Can Be Edited in github.com/rancher/rancher
  from 0
• MEDIUM4.3Rancher exposes sensitive information through audit logs in github.com/rancher/rancher
  from 0, < 0.0.0-20251013203444-50dc516a19ea
• MEDIUM4.3Rancher exposes sensitive information through audit logs in github.com/rancher/rancher
  from 0, < 0.0.0-20251013203444-50dc516a19ea
• MEDIUM4.3Rancher user retains access to clusters despite Global Role removal in github.com/rancher/rancher
  from 0, < 0.0.0-20251014212116-7faa74a968c2
• MEDIUM4.3Rancher user retains access to clusters despite Global Role removal in github.com/rancher/rancher
  from 0, < 0.0.0-20251014212116-7faa74a968c2
• MEDIUM4.2Access Control Bypass in github.com/rancher/rancher
  >= 2.0.0, < 2.1.6
• MEDIUM4.2Access Control Bypass in github.com/rancher/rancher
  >= 2.0.0+incompatible, < 2.1.6+incompatible