PT-2025-35332 · Suse · Rancher Manager
Publicado
2025-08-29
·
Atualizado
2025-10-08
·
CVE-2024-58259
CVSS v3.1
8.2
Alta
| Vetor | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H |
Name of the Vulnerable Software and Affected Versions
Rancher Manager versions 2.9.12, 2.10.9, 2.11.5, and 2.12.1
Description
A high-severity Denial of Service (DoS) flaw exists in Rancher Manager, allowing attackers to crash servers by sending oversized API requests to certain public (unauthenticated) and authenticated API endpoints. The vulnerability occurs because the software does not enforce request body size limits, allowing malicious users to send excessively large payloads that exhaust server memory. This can disrupt Rancher’s availability, impacting administrative and user operations. The issue affects both unauthenticated
/v3-public/* endpoints and several authenticated APIs.Recommendations
Upgrade to Rancher Manager version 2.9.12 to address the vulnerability.
Upgrade to Rancher Manager version 2.10.9 to address the vulnerability.
Upgrade to Rancher Manager version 2.11.5 to address the vulnerability.
Upgrade to Rancher Manager version 2.12.1 to address the vulnerability.
If upgrading is not immediately possible, manually set request body size limits, such as by using an nginx-ingress controller and only allowing requests via the ingress.
Exploit
Correção
DoS
Allocation of Resources Without Limits
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Rancher Manager