CVE-2024-58260

Name of the Vulnerable Software and Affected Versions Rancher versions prior to 2.12.2 Rancher versions prior to 2.11.6 Rancher versions prior to 2.10.10 Rancher versions prior to 2.9.12

Description A missing server-side validation on the .username field in Rancher allows users with update permissions on other User resources to cause denial of access for targeted accounts. Specifically, a malicious or compromised account with elevated update privileges on User resources can disrupt platform administration and user authentication. This can lead to username takeover, where an attacker can set a user's .username to "admin", preventing both the legitimate admin and the affected user from logging in. It also enables account lockout by changing the admin’s username, effectively blocking administrative access to the Rancher UI. The issue enables a malicious or compromised account with elevated update privileges on User resources to disrupt platform administration and user authentication.

Recommendations Upgrade to Rancher version 2.12.2 or later. Upgrade to Rancher version 2.11.6 or later. Upgrade to Rancher version 2.10.10 or later. Upgrade to Rancher version 2.9.12 or later. If upgrading is not possible, restrict update permissions on user resources to trusted users only.