Skip to content

x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-mq23-vvg7-xfm4 #3490

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
GoVulnBot opened this issue Feb 27, 2025 · 1 comment
Assignees
Labels

Comments

@GoVulnBot
Copy link

Advisory GHSA-mq23-vvg7-xfm4 references a vulnerability in the following Go modules:

Module
github.com/rancher/rancher

Description:

Impact

A vulnerability in Rancher has been discovered, leading to a local user impersonation through SAML Authentication on first login.

The issue occurs when a SAML authentication provider (AP) is configured (e.g. Keycloak). A newly created AP user can impersonate any user on Rancher by manipulating cookie values during their initial login to Rancher. This vulnerability could also be exploited if a Rancher user (present on the AP) is removed, either manually or automatically via the [User Retention feature](https://ranchermanager.docs.rancher.com/how-to-guides/advanced-user-guides/enable...

References:

Cross references:

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/rancher/rancher
      non_go_versions:
        - introduced: 2.8.0
        - fixed: 2.8.13
        - introduced: 2.9.0
        - fixed: 2.9.7
        - introduced: 2.10.0
        - fixed: 2.10.3
      vulnerable_at: 1.6.30
summary: |-
    Rancher does not Properly Validate Account Bindings in SAML Authentication
    Enables User Impersonation on First Login in github.com/rancher/rancher
cves:
    - CVE-2025-23389
ghsas:
    - GHSA-mq23-vvg7-xfm4
references:
    - advisory: https://github.com/advisories/GHSA-mq23-vvg7-xfm4
    - advisory: https://github.com/rancher/rancher/security/advisories/GHSA-mq23-vvg7-xfm4
source:
    id: GHSA-mq23-vvg7-xfm4
    created: 2025-02-27T19:01:23.62083138Z
review_status: UNREVIEWED

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/654257 mentions this issue: data/reports: add 23 reports

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

3 participants