Name of the Vulnerable Software and Affected Versions:

Rancher Manager versions 2.9.12, 2.10.9, 2.11.5, and 2.12.1

Description:

A high-severity Denial of Service (DoS) flaw exists in Rancher Manager, allowing attackers to crash servers by sending oversized API requests to certain public (unauthenticated) and authenticated API endpoints. The vulnerability occurs because the software does not enforce request body size limits, allowing malicious users to send excessively large payloads that exhaust server memory. This can disrupt Rancher’s availability, impacting administrative and user operations. The issue affects both unauthenticated `/v3-public/*` endpoints and several authenticated APIs.

Recommendations:

Upgrade to Rancher Manager version 2.9.12 to address the vulnerability.

Upgrade to Rancher Manager version 2.10.9 to address the vulnerability.

Upgrade to Rancher Manager version 2.11.5 to address the vulnerability.

Upgrade to Rancher Manager version 2.12.1 to address the vulnerability.

If upgrading is not immediately possible, manually set request body size limits, such as by using an nginx-ingress controller and only allowing requests via the ingress.