CVE-2023-32198

Name of the Vulnerable Software and Affected Versions Steve versions prior to v0.2.1 Steve versions prior to v0.3.3 Steve versions prior to v0.4.4 Steve versions prior to v0.5.13

Description A vulnerability has been identified in Steve where it uses an insecure option by default, not validating the certificate presented by the remote server during a TLS connection. This could allow the execution of a man-in-the-middle (MitM) attack against services using Steve. For example, users with permission to create a service in Rancher's local cluster can take over Rancher's UI and display their own UI to gather sensitive information when the setting ui-offline-preferred is manually set to remote. This enables further attacks such as cross-site scripting (XSS) or tampering with the UI to collect passwords from other users.

Recommendations For versions prior to v0.2.1, update to v0.2.1 or later. For versions prior to v0.3.3, update to v0.3.3 or later. For versions prior to v0.4.4, update to v0.4.4 or later. For versions prior to v0.5.13, update to v0.5.13 or later. As a temporary workaround, if you can't upgrade to a fixed version, please make sure that you are only using Steve to connect to trusted servers.