CVE-2019-12274

HIGH

Rancher 1-2.2.3 - Privilege Escalation

Title source: llm
STIX 2.1

Description

In Rancher 1 and 2 through 2.2.3, unprivileged users (if allowed to deploy nodes) can gain admin access to the Rancher management plane because node driver options intentionally allow posting certain data to the cloud. The problem is that a user could choose to post a sensitive file such as /root/.kube/config or /var/lib/rancher/management-state/cred/kubeconfig-system.yaml.

References (2)

Core 2
Core References
Release Notes, Vendor Advisory x_refsource_confirm
https://forums.rancher.com/c/announcements

Scores

CVSS v3 8.8
EPSS 0.0114
EPSS Percentile 63.0%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-668 CWE-862
Status published
Products (2)
rancher/rancher 2.0.0 - 2.2.4Go
suse/rancher 1.0.0 - 1.6.28
Published Jun 06, 2019
Tracked Since Feb 18, 2026