ghsa-mq23-vvg7-xfm4
Vulnerability from github
Published
2025-02-27 18:27
Modified
2025-04-11 23:13
Severity ?
8.4 (High) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L
Summary
Rancher does not Properly Validate Account Bindings in SAML Authentication Enables User Impersonation on First Login
Details

Impact

A vulnerability in Rancher has been discovered, leading to a local user impersonation through SAML Authentication on first login.

The issue occurs when a SAML authentication provider (AP) is configured (e.g. Keycloak). A newly created AP user can impersonate any user on Rancher by manipulating cookie values during their initial login to Rancher. This vulnerability could also be exploited if a Rancher user (present on the AP) is removed, either manually or automatically via the User Retention feature with delete-inactive-user-after.

More precisely, Rancher validates only a subset of input from the SAML assertion request; however, it trusts and uses values that are not properly validated. An attacker could then configure the saml_Rancher_UserID cookie and the saml_Rancher_Action cookie so that the user principal from the AP will be added to the user specified by the attacker (from saml_Rancher_UserID). Rancher can then be deceived by setting saml_Rancher_UserID to the admin's user ID and saml_Rancher_Action to testAndEnable, thereby executing the vulnerable code path and leading to privilege escalation.

Note that the vulnerability impacts all SAML APs available in Rancher. However the following Rancher deployments are not affected: 1. Rancher deployments not using SAML-based AP. 2. Rancher deployments using SAML-based AP, where all SAML users are already signed in and linked to a Rancher account.

Please consult the associated MITRE ATT&CK - Technique - Access Token Manipulation: Token Impersonation/Theft for further information about this category of attack.

Patches

This vulnerability is addressed by adding the UserID claim to a JWT signed token, which is protected against tampering.

Patched versions include releases v2.8.13, v2.9.7 and v2.10.3.

Workarounds

Rancher deployments that can't upgrade, could temporarily disable the SAML-based AP as a temporary workaround. However, upgrading is recommended.

References

If you have any questions or comments about this advisory: - Reach out to the SUSE Rancher Security team for security related inquiries. - Open an issue in the Rancher repository. - Verify with our support matrix and product support lifecycle.

Show details on source website

To clipboard 

{
   affected: [
      {
         package: {
            ecosystem: "Go",
            name: "github.com/rancher/rancher",
         },
         ranges: [
            {
               events: [
                  {
                     introduced: "2.8.0",
                  },
                  {
                     fixed: "2.8.13",
                  },
               ],
               type: "ECOSYSTEM",
            },
         ],
      },
      {
         package: {
            ecosystem: "Go",
            name: "github.com/rancher/rancher",
         },
         ranges: [
            {
               events: [
                  {
                     introduced: "2.9.0",
                  },
                  {
                     fixed: "2.9.7",
                  },
               ],
               type: "ECOSYSTEM",
            },
         ],
      },
      {
         package: {
            ecosystem: "Go",
            name: "github.com/rancher/rancher",
         },
         ranges: [
            {
               events: [
                  {
                     introduced: "2.10.0",
                  },
                  {
                     fixed: "2.10.3",
                  },
               ],
               type: "ECOSYSTEM",
            },
         ],
      },
   ],
   aliases: [
      "CVE-2025-23389",
   ],
   database_specific: {
      cwe_ids: [
         "CWE-284",
         "CWE-287",
      ],
      github_reviewed: true,
      github_reviewed_at: "2025-02-27T18:27:56Z",
      nvd_published_at: "2025-04-11T11:15:42Z",
      severity: "HIGH",
   },
   details: "### Impact\nA vulnerability in Rancher has been discovered, leading to a local user impersonation through SAML Authentication on first login.\n\nThe issue occurs when a SAML authentication provider (AP) is configured (e.g. Keycloak). A newly created AP user can impersonate any user on Rancher by manipulating cookie values during their initial login to Rancher. This vulnerability could also be exploited if a Rancher user (present on the AP) is removed, either manually or automatically via the [User Retention feature](https://ranchermanager.docs.rancher.com/how-to-guides/advanced-user-guides/enable-user-retention) with delete-inactive-user-after.\n\nMore precisely, Rancher validates only a subset of input from the SAML assertion request; however, it trusts and uses values that are not properly validated. An attacker could then configure the saml_Rancher_UserID cookie and the saml_Rancher_Action cookie so that the user principal from the AP will be added to the user specified by the attacker (from saml_Rancher_UserID). Rancher can then be deceived by setting saml_Rancher_UserID to the admin's user ID and saml_Rancher_Action to testAndEnable, thereby executing the vulnerable code path and leading to privilege escalation.\n\nNote that the vulnerability impacts all SAML APs available in Rancher. However the following Rancher deployments are not affected:\n1. Rancher deployments not using SAML-based AP.\n2. Rancher deployments using SAML-based AP, where all SAML users are already signed in and linked to a Rancher account.\n\nPlease consult the associated  [MITRE ATT&CK - Technique - Access Token Manipulation: Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001/) for further information about this category of attack.\n\n### Patches\nThis vulnerability is addressed by adding the UserID claim to a JWT signed token, which is protected against tampering. \n\nPatched versions include releases `v2.8.13`, `v2.9.7` and `v2.10.3`.\n\n### Workarounds\nRancher deployments that can't upgrade, could temporarily disable the SAML-based AP as a temporary workaround. However, upgrading is recommended.\n\n### References\nIf you have any questions or comments about this advisory:\n- Reach out to the [SUSE Rancher Security team](https://github.com/rancher/rancher/security/policy) for security related inquiries.\n- Open an issue in the [Rancher](https://github.com/rancher/rancher/issues/new/choose) repository.\n- Verify with our [support matrix](https://www.suse.com/suse-rancher/support-matrix/all-supported-versions/) and [product support lifecycle](https://www.suse.com/lifecycle/).",
   id: "GHSA-mq23-vvg7-xfm4",
   modified: "2025-04-11T23:13:40Z",
   published: "2025-02-27T18:27:56Z",
   references: [
      {
         type: "WEB",
         url: "https://github.com/rancher/rancher/security/advisories/GHSA-mq23-vvg7-xfm4",
      },
      {
         type: "ADVISORY",
         url: "https://nvd.nist.gov/vuln/detail/CVE-2025-23389",
      },
      {
         type: "WEB",
         url: "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-23389",
      },
      {
         type: "PACKAGE",
         url: "https://github.com/rancher/rancher",
      },
      {
         type: "WEB",
         url: "https://pkg.go.dev/vuln/GO-2025-3490",
      },
   ],
   schema_version: "1.4.0",
   severity: [
      {
         score: "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L",
         type: "CVSS_V3",
      },
   ],
   summary: "Rancher does not Properly Validate Account Bindings in SAML Authentication Enables User Impersonation on First Login",
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.