x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-9c5p-35gj-jqp4 #3280

GoVulnBot · 2024-11-21T15:01:40Z

Advisory GHSA-9c5p-35gj-jqp4 references a vulnerability in the following Go modules:

Module
github.com/rancher/rancher

Description:

Impact

A vulnerability has been identified within Rancher Manager whereby applications installed via Rancher Manager Apps Catalog store their Helm values directly into the Apps Custom Resource Definition, resulting in any users with GET access to it to be able to read any sensitive information that are contained within the Apps’ values. Additionally, the same information leaks into auditing logs when the audit level is set to equal or above 2.

Application charts without sensitive data are not affected by this vulnerability.
This vulnerability impacts any Helm applications installed ...

References:

ADVISORY: GHSA-9c5p-35gj-jqp4
ADVISORY: GHSA-9c5p-35gj-jqp4

Cross references:

github.com/rancher/rancher appears in 41 other report(s):
- data/excluded/GO-2022-0439.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-wm2r-rp98-8pmh #439) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-0464.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: CVE-2022-21951 #464) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-0551.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-4fc7-hc63-7fjg #551) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-0605.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-hx8w-ghh8-r4xf #605) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-0610.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-jwvr-vv7p-gpwq, CVE-2021-36784 #610) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-0973.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: CVE-2021-36782 #973) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-0974.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: CVE-2021-36783 #974) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-0975.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: CVE-2022-31247 #975) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1511.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-34p5-jp77-fcrc #1511) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1513.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-7m72-mh5r-6j3r #1513) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1514.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-8c69-r38j-rpfj #1514) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1516.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-c45c-39f6-6gw9 #1516) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1517.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-cq4p-vp5q-4522 #1517) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1518.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-g25r-gvq3-wrq7 #1518) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1736.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-6m9f-pj6w-w87g #1736) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1814.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: CVE-2022-43760 #1814) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1815.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: CVE-2023-22647 #1815) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1816.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: CVE-2023-22648 #1816) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1825.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-8vhc-hwhc-cpj4 #1825) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1905.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-6m8r-jh89-rq7h #1905) EFFECTIVELY_PRIVATE
- data/reports/GO-2022-0644.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-9qq2-xhmc-h9qr #644)
- data/reports/GO-2022-0755.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher/server: GHSA-xhg2-rvm8-w2jh #755)
- data/reports/GO-2023-1973.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-w3x4-9854-95x8 #1973)
- data/reports/GO-2023-1991.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-gc62-j469-9gjm #1991)
- data/reports/GO-2024-2535.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-c85r-fwc7-45vc #2535)
- data/reports/GO-2024-2537.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-xfj7-qf8w-2gcr #2537)
- data/reports/GO-2024-2760.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-28g7-896h-695v #2760)
- data/reports/GO-2024-2761.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-2p4g-jrmx-r34m #2761)
- data/reports/GO-2024-2762.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-53pj-67m4-9w98 #2762)
- data/reports/GO-2024-2764.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-6r7x-4q7g-h83j #2764)
- data/reports/GO-2024-2768.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-f9xf-jq4j-vqw4 #2768)
- data/reports/GO-2024-2771.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-gvh9-xgrq-r8hw #2771)
- data/reports/GO-2024-2778.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-pvxj-25m6-7vqr #2778)
- data/reports/GO-2024-2784.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-xh8x-j8h3-m5ph #2784)
- data/reports/GO-2024-2929.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-64jq-m7rq-768h #2929)
- data/reports/GO-2024-2931.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-9ghh-mmcq-8phc #2931)
- data/reports/GO-2024-2932.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-q6c7-56cq-g2wm #2932)
- data/reports/GO-2024-3161.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-h4h5-9833-v2p4 #3161)
- data/reports/GO-2024-3220.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-7h8m-pvw3-5gh4 #3220)
- data/reports/GO-2024-3221.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-h99m-6755-rgwc #3221)
- data/reports/GO-2024-3223.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-xj7w-r753-vj8v #3223)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/rancher/rancher
      non_go_versions:
        - introduced: 2.8.0
        - fixed: 2.8.10
        - introduced: 2.9.0
        - fixed: 2.9.4
      vulnerable_at: 1.6.30
summary: Rancher Helm Applications may have sensitive values leaked in github.com/rancher/rancher
cves:
    - CVE-2024-52282
ghsas:
    - GHSA-9c5p-35gj-jqp4
references:
    - advisory: https://github.com/advisories/GHSA-9c5p-35gj-jqp4
    - advisory: https://github.com/rancher/rancher/security/advisories/GHSA-9c5p-35gj-jqp4
source:
    id: GHSA-9c5p-35gj-jqp4
    created: 2024-11-21T15:01:40.270637739Z
review_status: UNREVIEWED

The text was updated successfully, but these errors were encountered:

gopherbot · 2024-11-21T19:43:48Z

Change https://go.dev/cl/630755 mentions this issue: data/reports: add 3 unreviewed reports

tatianab added the triaged label Nov 21, 2024

gopherbot closed this as completed in 842487c Nov 21, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-9c5p-35gj-jqp4 #3280

x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-9c5p-35gj-jqp4 #3280

GoVulnBot commented Nov 21, 2024

gopherbot commented Nov 21, 2024

x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-9c5p-35gj-jqp4 #3280

x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-9c5p-35gj-jqp4 #3280

Comments

GoVulnBot commented Nov 21, 2024

Impact

gopherbot commented Nov 21, 2024