ID CVE-2019-11881
Summary A vulnerability exists in Rancher 2.1.4 in the login component, where the errorMsg parameter can be tampered to display arbitrary content, filtering tags but not special characters or symbols. There's no other limitation of the message, allowing malicious users to lure legitimate users to visit phishing sites with scare tactics, e.g., displaying a "This version of Rancher is outdated, please visit https://malicious.rancher.site/upgrading" message.
References
Vulnerable Configurations
  • cpe:2.3:a:suse:rancher:2.1.4:*:*:*:*:*:*:*
    cpe:2.3:a:suse:rancher:2.1.4:*:*:*:*:*:*:*
CVSS
Base: 4.3 (as of 13-04-2022 - 23:44)
Impact:
Exploitability:
CWE NVD-CWE-noinfo
CAPEC
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
NONE PARTIAL NONE
cvss-vector via4 AV:N/AC:M/Au:N/C:N/I:P/A:N
refmap via4
confirm https://github.com/rancher/rancher/issues/20216
misc https://github.com/MauroEldritch/VanCleef
Last major update 13-04-2022 - 23:44
Published 10-06-2019 - 20:29
Last modified 13-04-2022 - 23:44
Back to Top