Rancher: Command injection in Git package
CVE-2022-43758

7.6HIGH

Key Information:

Vendor: Suse
Status: Rancher
Vendor: CVE Published:; 7 February 2023

Summary

An OS Command Injection vulnerability in SUSE Rancher enables users to execute arbitrary code if they can add untrusted Helm catalogs or alter the URL configuration for downloading KDM. This flaw primarily impacts admin users who have access to modify configurations, thereby potentially compromising system integrity and security. Affected versions include those prior to 2.5.17, 2.6.10, and 2.7.1, which showcase the critical need for users to upgrade to mitigate these risks.

Affected Version(s)

Rancher Rancher < 2.5.17

References

https://bugzilla.suse.com/show_bug.cgi?id=1205294

CVSS V3.1

Score:

7.6

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

High

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Feb 7, 2023
Vulnerability Reserved
Oct 26, 2022

Credit

Sam Sanoop