Vulnerability Description
Rancher 2 through 2.2.4 is vulnerable to a Cross-Site Websocket Hijacking attack that allows an exploiter to gain access to clusters managed by Rancher. The attack requires a victim to be logged into a Rancher server, and then to access a third-party site hosted by the exploiter. Once that is accomplished, the exploiter is able to execute commands against the cluster's Kubernetes API with the permissions and identity of the victim.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Suse | Rancher | >= 2.0.0, <= 2.2.4 |
Related Weaknesses (CWE)
References
- https://forums.rancher.com/c/announcementsRelease NotesVendor Advisory
- https://forums.rancher.com/t/rancher-release-v2-2-5-addresses-rancher-cve-2019-1Release NotesVendor Advisory
- https://forums.rancher.com/c/announcementsRelease NotesVendor Advisory
- https://forums.rancher.com/t/rancher-release-v2-2-5-addresses-rancher-cve-2019-1Release NotesVendor Advisory
FAQ
What is CVE-2019-13209?
CVE-2019-13209 is a vulnerability with a CVSS score of 6.1 (MEDIUM). Rancher 2 through 2.2.4 is vulnerable to a Cross-Site Websocket Hijacking attack that allows an exploiter to gain access to clusters managed by Rancher. The attack requires a victim to be logged into ...
How severe is CVE-2019-13209?
CVE-2019-13209 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-13209?
Check the references section above for vendor advisories and patch information. Affected products include: Suse Rancher.