CVE-2022-43760

Name of the Vulnerable Software and Affected Versions Rancher versions 2.6.0 through 2.6.12 Rancher versions 2.7.0 through 2.7.3

Description An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') issue allows users in higher-privileged groups to inject code executed within another user's browser. This enables the attacker to steal sensitive information, manipulate web content, or perform malicious activities on behalf of the victims. The affected areas include the Projects/Namespaces and Auth Provider sections, and the attacker needs to be authenticated and have write access to those features to exploit the issue. Required permissions include Project Owner, Restricted Admin, Configure Authentication, Administrator, or a Custom RBAC Role that provides write access on Projects or External Authentication Providers.

Recommendations For versions 2.6.0 through 2.6.12, update to version 2.6.13 or later. For versions 2.7.0 through 2.7.3, update to version 2.7.4 or later. As a precautionary measure, rotate all API Keys and Kubeconfig tokens, review logs, and consider rotating credentials stored as secrets in Rancher and downstream clusters if users' credentials might have been compromised.