CVE-2019-11202: Rancher Recreates Default User With Known Password Despite Deletion

May 24, 2022 (updated June 10, 2024)

An issue was discovered that affects the following versions of Rancher: v2.0.0 through v2.0.13, v2.1.0 through v2.1.8, and v2.2.0 through 2.2.1. When Rancher starts for the first time, it creates a default admin user with a well-known password. After initial setup, the Rancher administrator may choose to delete this default admin user. If Rancher is restarted, the default admin user will be recreated with the well-known default password. An attacker could exploit this by logging in with the default admin credentials. This can be mitigated by deactivating the default admin user rather than completing deleting them.

References

forums.rancher.com/t/rancher-release-v2-2-2-addresses-rancher-cve-2019-11202-and-stability-issues/13977
github.com/advisories/GHSA-xh8x-j8h3-m5ph
github.com/rancher/rancher
nvd.nist.gov/vuln/detail/CVE-2019-11202
pkg.go.dev/vuln/GO-2024-2784

Detect and mitigate CVE-2019-11202 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →