Samjustus

**Name of the Vulnerable Software and Affected Versions** Rancher Manager versions prior to 2.9.12 Rancher Manager versions prior to 2.10.10 Rancher Manager versions prior to 2.11.6 Rancher Manager versions prior to 2.12.2 **Description** A flaw exists in Rancher Manager that allows sensitive information, such as email addresses, to be sent in `Impersonate-Extra-*` headers to external entities when creating new cloud credentials. This occurs via the `/meta/proxy` API endpoint. The information is sent to whitelisted domains specified in `nodedrivers.management.cattle.io` objects, including domains like `amazonaws.com` and `api.digitalocean.com`. The headers involved include `Impersonate-Extra-Username` and `Impersonate-Extra-Principalid`. Passwords, password hashes, and Rancher authentication tokens are not leaked. **Recommendations** Update Rancher Manager to version 2.9.12 or later. Update Rancher Manager to version 2.10.10 or later. Update Rancher Manager to version 2.11.6 or later. Update Rancher Manager to version 2.12.2 or later.