CVE-2019-11881

Name of the Vulnerable Software and Affected Versions Rancher versions prior to 2.2.4 Rancher version 2.1.4

Description A vulnerability exists in the login component of Rancher, where the errorMsg parameter can be tampered to display arbitrary content. Although tags are filtered, special characters and symbols are not, allowing malicious users to lure legitimate users to visit phishing sites using scare tactics. For example, a message can be displayed stating "This version of Rancher is outdated, please visit https://malicious.rancher.site/upgrading".

Recommendations For versions prior to 2.2.4, update to version 2.2.4 or later to resolve the issue. For version 2.1.4, update to version 2.2.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the login component to minimize the risk of exploitation. Avoid using the errorMsg parameter in the login endpoint until the issue is resolved.