CVE-2022-43758

Name of the Vulnerable Software and Affected Versions SUSE Rancher versions prior to 2.5.17 SUSE Rancher versions prior to 2.6.10 SUSE Rancher versions prior to 2.7.1

Description A code execution issue exists due to improper neutralization of special elements used in an OS command. This issue can be exploited by adding an untrusted Helm catalog or modifying the URL configuration used to download KDM, allowing for command injection in the underlying Rancher host. By default, only the Rancher admin has permission to manage these configurations. The issue can potentially be exploited in two ways: adding an untrusted Helm catalog that contains maliciously designed repo URL configuration in Helm charts, or modifying the URL configuration used to download KDM releases.

Recommendations For SUSE Rancher versions prior to 2.5.17, update to version 2.5.17 or later. For SUSE Rancher versions prior to 2.6.10, update to version 2.6.10 or later. For SUSE Rancher versions prior to 2.7.1, update to version 2.7.1 or later. As a temporary workaround, consider only adding trusted catalogs and the KDM URL to Rancher.