Advisories for Golang/Github.com/Rancher/Rancher/Pkg/Clusterrouter package

2022
2021
2019

Cross-site Scripting

Rancher is vulnerable to a Cross-Site Websocket Hijacking attack that allows an exploiter to gain access to clusters managed by Rancher. The attack requires a victim to be logged into a Rancher server, and then to access a third-party site hosted by the exploiter. Once that is accomplished, the exploiter is able to execute commands against the cluster's Kubernetes API with the permissions and identity of the victim.