Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/rancher/rancher: CVE-2022-43760 #1814

Closed
GoVulnBot opened this issue Jun 1, 2023 · 1 comment
Closed

x/vulndb: potential Go vuln in github.com/rancher/rancher: CVE-2022-43760 #1814

GoVulnBot opened this issue Jun 1, 2023 · 1 comment
Labels
excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module.

Comments

@GoVulnBot
Copy link

CVE-2022-43760 references github.com/rancher/rancher, which may be a Go module.

Description:
An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SUSE Rancher allows users in some higher-privileged groups to to inject code that is
executed within another user's browser, allowing the attacker to steal
sensitive information, manipulate web content, or perform other
malicious activities on behalf of the victims. This could result in a
user with write access to the affected areas being able to act on behalf
of an administrator, once an administrator opens the affected web page.

This issue affects Rancher: from >= 2.6.0 before < 2.6.13, from >= 2.7.0 before < 2.7.4.

References:

Cross references:

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/rancher/rancher
      packages:
        - package: Rancher
description: "An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SUSE Rancher allows users in some higher-privileged groups to to inject code that is \nexecuted within another user's browser, allowing the attacker to steal \nsensitive information, manipulate web content, or perform other \nmalicious activities on behalf of the victims. This could result in a \nuser with write access to the affected areas being able to act on behalf\n of an administrator, once an administrator opens the affected web page.\n\n\nThis issue affects Rancher: from >= 2.6.0 before < 2.6.13, from >= 2.7.0 before < 2.7.4.\n\n\n"
cves:
    - CVE-2022-43760
references:
    - advisory: https://github.com/rancher/rancher/security/advisories/GHSA-46v3-ggjg-qq3x
    - web: https://bugzilla.suse.com/show_bug.cgi?id=CVE-2022-43760
@tatianab tatianab self-assigned this Jun 2, 2023
@tatianab tatianab added the excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module. label Jun 2, 2023
@tatianab tatianab removed their assignment Jun 2, 2023
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/500496 mentions this issue: data/excluded: batch add 9 excluded reports

@GoVulnBot GoVulnBot mentioned this issue Jun 6, 2023
Closed
@GoVulnBot GoVulnBot mentioned this issue Jul 11, 2023
Closed
@GoVulnBot GoVulnBot mentioned this issue Jul 25, 2023
Closed
@GoVulnBot GoVulnBot mentioned this issue Aug 2, 2023
Closed
This was referenced Feb 8, 2024
Closed
Closed
This was referenced Apr 24, 2024
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
This was referenced Jun 17, 2024
Closed
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tatianab @gopherbot @GoVulnBot