PT-2019-12180 · Rancher · Rancher
Published
2019-07-30
·
Updated
2024-06-10
·
CVE-2019-11202
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Rancher versions 2.0.0 through 2.0.13
Rancher versions 2.1.0 through 2.1.8
Rancher versions 2.2.0 through 2.2.1
Description
An issue affects Rancher where a default admin user is created with a well-known password when it starts for the first time. Even if the default admin user is deleted after initial setup, restarting Rancher will recreate this user with the same default password. This allows an attacker to exploit the system by logging in with the default admin credentials.
Recommendations
For versions 2.0.0 through 2.0.13, deactivate the default admin user instead of deleting it to mitigate the issue.
For versions 2.1.0 through 2.1.8, deactivate the default admin user instead of deleting it to mitigate the issue.
For versions 2.2.0 through 2.2.1, deactivate the default admin user instead of deleting it to mitigate the issue.
Fix
Improper Authentication
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Rancher