CVE-2021-31999

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2021-31999

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-31999.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2021-31999

Aliases

Published

2021-07-15T09:15:08.210Z

Modified

2026-04-12T03:26:17.900515Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

A Reliance on Untrusted Inputs in a Security Decision vulnerability in Rancher allows users in the cluster to act as others users in the cluster by forging the "Impersonate-User" or "Impersonate-Group" headers. This issue affects: Rancher versions prior to 2.5.9. Rancher versions prior to 2.4.16.

References

https://bugzilla.suse.com/show_bug.cgi?id=1187084

Affected packages

Git / github.com/rancher/rancher

Affected ranges

Type

GIT

Repo

https://github.com/rancher/rancher

Events

Introduced

Fixed

c29a771063e6926df6916990f1730e0574042ba8

Introduced

65f3525cdc1167872af4140d45f3153698450c52

Fixed

3c54189441fdac08fd4a1b3113216e085004f061

Database specific

{
    "cpe": "cpe:2.3:a:rancher:rancher:*:*:*:*:*:*:*:*",
    "source": "CPE_FIELD",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.4.16"
        },
        {
            "introduced": "2.5.0"
        },
        {
            "fixed": "2.5.9"
        }
    ]
}

Affected versions

2.*

2.4.8-rc2

v2.*

v2.0.0

v2.0.0-alpha11

v2.0.0-alpha12

v2.0.0-alpha14

v2.0.0-alpha17

v2.0.0-alpha18

v2.0.0-alpha19

v2.0.0-alpha20

v2.0.0-alpha21

v2.0.0-alpha22

v2.0.0-alpha23

v2.0.0-alpha24

v2.0.0-alpha25

v2.0.0-alpha26

v2.0.0-alpha27

v2.0.0-alpha28

v2.0.0-beta1

v2.0.0-beta2

v2.0.0-beta3

v2.0.0-beta3-rc1

v2.0.0-beta4

v2.0.0-beta4-rc1

v2.0.0-beta4-rc2

v2.0.0-beta4-rc3

v2.0.0-beta4-rc4

v2.0.0-rc1

v2.0.0-rc2

v2.0.0-rc3

v2.0.0-rc4

v2.0.0-rc5

v2.0.1

v2.0.1-rc1

v2.0.1-rc2

v2.0.1-rc3

v2.0.1-rc4

v2.0.1-rc5

v2.0.1-rc6

v2.0.2

v2.0.2-rc1

v2.0.3

v2.0.3-rc1

v2.0.3-rc2

v2.0.3-rc3

v2.0.3-rc4

v2.0.3-rc5

v2.0.4

v2.0.4-rc1

v2.0.5

v2.0.5-rc1

v2.0.5-rc2

v2.0.5-rc3

v2.0.5-rc4

v2.0.5-rc5

v2.0.5-rc6

v2.0.6

v2.0.6-rc1

v2.0.6-rc2

v2.0.7

v2.0.7-rc1

v2.0.7-rc2

v2.0.7-rc3

v2.0.7-rc4

v2.0.7-rc5

v2.0.7-rc6

v2.0.8-rc2

v2.1.0

v2.1.0-rc1

v2.1.0-rc10

v2.1.0-rc2

v2.1.0-rc3

v2.1.0-rc4

v2.1.0-rc5

v2.1.0-rc6

v2.1.0-rc7

v2.1.0-rc8

v2.1.0-rc9

v2.2.0

v2.2.0-rc1

v2.2.0-rc10

v2.2.0-rc11

v2.2.0-rc12

v2.2.0-rc13

v2.2.0-rc14

v2.2.0-rc15

v2.2.0-rc2

v2.2.0-rc3

v2.2.0-rc4

v2.2.0-rc5

v2.2.0-rc6

v2.2.0-rc7

v2.2.0-rc8

v2.2.0-rc9

v2.3.0-alpha4

v2.3.0-alpha5

v2.3.0-alpha6

v2.3.0-alpha7

v2.3.0-rc1

v2.3.0-rc10

v2.3.0-rc2

v2.3.0-rc3

v2.3.0-rc4

v2.3.0-rc5

v2.3.0-rc6

v2.3.0-rc7

v2.3.0-rc8

v2.3.0-rc9

v2.4.0

v2.4.0-alpha1

v2.4.0-rc1

v2.4.0-rc10

v2.4.0-rc11

v2.4.0-rc12

v2.4.0-rc13

v2.4.0-rc14

v2.4.0-rc15

v2.4.0-rc16

v2.4.0-rc17

v2.4.0-rc18

v2.4.0-rc2

v2.4.0-rc3

v2.4.0-rc4

v2.4.0-rc5

v2.4.0-rc6

v2.4.0-rc7

v2.4.0-rc8

v2.4.0-rc9

v2.4.1-rc1

v2.4.1-rc2

v2.4.10

v2.4.10-rc1

v2.4.11

v2.4.11-rc1

v2.4.11-rc2

v2.4.11-rc3

v2.4.11-rc4

v2.4.11-rc5

v2.4.11-rc6

v2.4.13

v2.4.13-rc1

v2.4.13-rc2

v2.4.13-rc3

v2.4.13-rc4

v2.4.13-rc5

v2.4.13-rc6

v2.4.14

v2.4.14-rc1

v2.4.14-rc2

v2.4.14-rc3

v2.4.14-rc4

v2.4.15

v2.4.16-rc1

v2.4.16-rc2

v2.4.16-rc3

v2.4.16-rc4

v2.4.16-rc5

v2.4.2

v2.4.2-rc1

v2.4.2-rc2

v2.4.2-rc3

v2.4.3

v2.4.3-rc1

v2.4.3-rc2

v2.4.3-rc3

v2.4.3-rc4

v2.4.3-rc5

v2.4.3-rc6

v2.4.3-rc7

v2.4.4-rc1

v2.4.5

v2.4.5-rc1

v2.4.5-rc10

v2.4.5-rc2

v2.4.5-rc3

v2.4.5-rc4

v2.4.5-rc5

v2.4.5-rc6

v2.4.5-rc7

v2.4.5-rc8

v2.4.5-rc9

v2.4.6

v2.4.6-rc1

v2.4.6-rc10

v2.4.6-rc11

v2.4.6-rc12

v2.4.6-rc2

v2.4.6-rc3

v2.4.6-rc4

v2.4.6-rc5

v2.4.6-rc6

v2.4.6-rc7

v2.4.6-rc8

v2.4.6-rc9

v2.4.7

v2.4.7-rc1

v2.4.7-rc2

v2.4.7-rc3

v2.4.8

v2.4.8-rc1

v2.4.8-rc2

v2.4.8-rc3

v2.4.9

v2.4.9-rc1

v2.4.9-rc10

v2.4.9-rc11

v2.4.9-rc12

v2.4.9-rc2

v2.4.9-rc3

v2.4.9-rc4

v2.4.9-rc5

v2.4.9-rc6

v2.4.9-rc7

v2.4.9-rc8

v2.4.9-rc9

v2.5.0

v2.5.0-rc9

v2.5.1

v2.5.1-rc1

v2.5.2

v2.5.2-rc

v2.5.2-rc1

v2.5.2-rc10

v2.5.2-rc2

v2.5.2-rc3

v2.5.2-rc4

v2.5.2-rc5

v2.5.2-rc6

v2.5.2-rc7

v2.5.2-rc8

v2.5.2-rc9

v2.5.4

v2.5.4-rc1

v2.5.4-rc2

v2.5.4-rc3

v2.5.4-rc4

v2.5.4-rc5

v2.5.4-rc6

v2.5.4-rc7

v2.5.4-rc8

v2.5.4-rc9

v2.5.6

v2.5.6-rc1

v2.5.6-rc2

v2.5.6-rc3

v2.5.6-rc4

v2.5.6-rc5

v2.5.6-rc6

v2.5.6-rc7

v2.5.6-rc8

v2.5.6-rc9

v2.5.8

v2.5.8-patch1

v2.5.8-rc10

v2.5.8-rc11

v2.5.8-rc12

v2.5.8-rc13

v2.5.8-rc14

v2.5.8-rc15

v2.5.8-rc16

v2.5.8-rc17

v2.5.8-rc18

v2.5.8-rc19

v2.5.8-rc2

v2.5.8-rc20

v2.5.8-rc21

v2.5.8-rc3

v2.5.8-rc4

v2.5.8-rc5

v2.5.8-rc6

v2.5.8-rc7

v2.5.8-rc8

v2.5.8-rc9

v2.5.9-rc1

v2.5.9-rc10

v2.5.9-rc11

v2.5.9-rc12

v2.5.9-rc13

v2.5.9-rc14

v2.5.9-rc15

v2.5.9-rc2

v2.5.9-rc3

v2.5.9-rc4

v2.5.9-rc5

v2.5.9-rc6

v2.5.9-rc7

v2.5.9-rc8

v2.5.9-rc9

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-31999.json"