CVE-2019-12274
Summary
| CVE | CVE-2019-12274 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2019-06-06 16:29:00 UTC |
| Updated | 2022-04-13 23:44:00 UTC |
| Description | In Rancher 1 and 2 through 2.2.3, unprivileged users (if allowed to deploy nodes) can gain admin access to the Rancher management plane because node driver options intentionally allow posting certain data to the cloud. The problem is that a user could choose to post a sensitive file such as /root/.kube/config or /var/lib/rancher/management-state/cred/kubeconfig-system.yaml. |
Risk And Classification
Problem Types: CWE-668 | CWE-862
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Rancher Release - v2.2.4 - Addresses Rancher CVE-2019-12274 and CVE-2019-12303 - Announcements - Rancher Labs | CONFIRM | forums.rancher.com | Release Notes, Vendor Advisory |
| Latest Announcements topics - Rancher Labs | CONFIRM | forums.rancher.com | Release Notes, Vendor Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.