PT-2025-35332 · Suse · Rancher Manager

Publicado

2025-08-29

·

Atualizado

2025-10-08

·

CVE-2024-58259

CVSS v3.1

8.2

Alta

VetorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
Name of the Vulnerable Software and Affected Versions Rancher Manager versions 2.9.12, 2.10.9, 2.11.5, and 2.12.1
Description A high-severity Denial of Service (DoS) flaw exists in Rancher Manager, allowing attackers to crash servers by sending oversized API requests to certain public (unauthenticated) and authenticated API endpoints. The vulnerability occurs because the software does not enforce request body size limits, allowing malicious users to send excessively large payloads that exhaust server memory. This can disrupt Rancher’s availability, impacting administrative and user operations. The issue affects both unauthenticated /v3-public/* endpoints and several authenticated APIs.
Recommendations Upgrade to Rancher Manager version 2.9.12 to address the vulnerability. Upgrade to Rancher Manager version 2.10.9 to address the vulnerability. Upgrade to Rancher Manager version 2.11.5 to address the vulnerability. Upgrade to Rancher Manager version 2.12.1 to address the vulnerability. If upgrading is not immediately possible, manually set request body size limits, such as by using an nginx-ingress controller and only allowing requests via the ingress.

Exploit

Correção

DoS

Allocation of Resources Without Limits

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

Enumeração de Fraquezas

Identificadores relacionados

CVE-2024-58259
GHSA-4H45-JPVH-6P5J
GO-2025-3923
OPENSUSE-SU-2025:15538-1
SUSE-SU-2025:03289-1

Produtos afetados

Rancher Manager