Impact
A vulnerability has been identified within Rancher UI that allows a malicious actor to perform a Stored XSS attack through the cluster description field.
Please consult the associated MITRE ATT&CK - Technique - Drive-by Compromise for further information about this category of attack.
Patches
The fix introduces new changes in the directives responsible for sanitizing HTML code before rendering.
We replaced the v-tooltip directive with the v-clean-tooltip directive.
Patched versions include releases 2.9.4 and 2.10.0.
Workarounds
There are no workarounds for this issue. Users are recommended to upgrade, as soon as possible, to a version of /Rancher Manager which contains the fixes.
Credits
This issue was identified and reported by Bhavin Makwana from Workday’s Cyber Defence Team.
For more information
If you have any questions or comments about this advisory:
References
Impact
A vulnerability has been identified within Rancher UI that allows a malicious actor to perform a Stored XSS attack through the cluster description field.
Please consult the associated MITRE ATT&CK - Technique - Drive-by Compromise for further information about this category of attack.
Patches
The fix introduces new changes in the directives responsible for sanitizing HTML code before rendering.
We replaced the
v-tooltipdirective with thev-clean-tooltipdirective.Patched versions include releases
2.9.4and2.10.0.Workarounds
There are no workarounds for this issue. Users are recommended to upgrade, as soon as possible, to a version of /Rancher Manager which contains the fixes.
Credits
This issue was identified and reported by Bhavin Makwana from Workday’s Cyber Defence Team.
For more information
If you have any questions or comments about this advisory:
References