CVE-2019-11202: Credentials Management

July 30, 2019 (updated August 12, 2019)

When Rancher starts for the first time, it creates a default admin user with a well-known password. After initial setup, the Rancher administrator may choose to delete this default admin user. If Rancher is restarted, the default admin user will be recreated with the well-known default password. An attacker could exploit this by logging in with the default admin credentials. This can be mitigated by deactivating the default admin user rather than completing deleting them.

References

forums.rancher.com/c/announcements
nvd.nist.gov/vuln/detail/CVE-2019-11202
rancher.com/docs/rancher/v2.x/en/security/

Detect and mitigate CVE-2019-11202 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →