GHSA-2v2w-8v8c-wcm9
Suggest an improvement- Source
- https://github.com/advisories/GHSA-2v2w-8v8c-wcm9
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/01/GHSA-2v2w-8v8c-wcm9/GHSA-2v2w-8v8c-wcm9.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-2v2w-8v8c-wcm9
- Aliases
-
- CVE-2024-52281
- GO-2025-3391
- Published
- 2025-01-14T22:03:33Z
- Modified
- 2025-01-15T15:41:47.194043Z
- Severity
-
- 8.9 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L CVSS Calculator
- Summary
- Rancher UI has Stored Cross-site Scripting vulnerability
- Details
-
Impact
A vulnerability has been identified within Rancher UI that allows a malicious actor to perform a Stored XSS attack through the cluster description field.
Please consult the associated MITRE ATT&CK - Technique - Drive-by Compromise for further information about this category of attack.
Patches
The fix introduces new changes in the directives responsible for sanitizing HTML code before rendering.
We replaced the
v-tooltipdirective with thev-clean-tooltipdirective.Patched versions include releases
2.9.4and2.10.0.Workarounds
There are no workarounds for this issue. Users are recommended to upgrade, as soon as possible, to a version of /Rancher Manager which contains the fixes.
Credits
This issue was identified and reported by Bhavin Makwana from Workday’s Cyber Defence Team.
For more information
If you have any questions or comments about this advisory: - Reach out to the SUSE Rancher Security team for security related inquiries. - Open an issue in the Rancher repository. - Verify with our support matrix and product support lifecycle.
- Database specific
{ "nvd_published_at": null, "cwe_ids": [ "CWE-79" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2025-01-14T22:03:33Z" }- References
Affected packages
Go / github.com/rancher/rancher
Package
- Name
- github.com/rancher/rancher
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/rancher/rancher