Rancher Login Component errorMsg Parameter Vulnerability

By GIXnews


A vulnerability in the login component of Rancher could allow an unauthenticated, remote attacker to gain unauthorized access on a targeted system.

The vulnerability exists because the errorMsg parameter of affected software can be tampered with to display arbitrary content. An attacker could exploit this vulnerability by persuading a user to visit phishing sites, which the attacker could use to access sensitive information and gain unauthorized access to the affected software. A successful exploit could be used to conduct further attacks.

Proof-of-concept (PoC) code that demonstrates an exploit of this vulnerability is publicly available.

Rancher has confirmed the vulnerability and released software updates.

Security Impact Rating: Low

CVE: CVE-2019-11881

Source:: Cisco Multivendor Vulnerability Alerts