CVE-2019-13209: Cross-site Scripting

September 4, 2019 (updated September 6, 2019)

Rancher is vulnerable to a Cross-Site Websocket Hijacking attack that allows an exploiter to gain access to clusters managed by Rancher. The attack requires a victim to be logged into a Rancher server, and then to access a third-party site hosted by the exploiter. Once that is accomplished, the exploiter is able to execute commands against the cluster’s Kubernetes API with the permissions and identity of the victim.

References

forums.rancher.com/c/announcements
forums.rancher.com/t/rancher-release-v2-2-5-addresses-rancher-cve-2019-13209/14801
nvd.nist.gov/vuln/detail/CVE-2019-13209

Detect and mitigate CVE-2019-13209 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →