安全公告和 CVE

Rancher 致力于向社区披露我们产品的安全问题。我们会针对已解决的问题发布安全公告和 CVE（Common Vulnerabilities and Exposures，通用漏洞披露）。Rancher GitHub 上的安全页面也会发布新的安全公告。

ID 描述日期解决

ID	描述	日期	解决
CVE-2023-32198	A vulnerability was found where users with permission to create a service in the Kubernetes cluster where Rancher is deployed can take over the Rancher UI, display their own UI, and gather sensitive information. This is only possible when the setting `ui-offline-preferred` is set to `remote`. This release introduces a patch, and the malicious user can no longer serve their own UI. If users can’t upgrade, please make sure that only trustable users have access to create a service in the local cluster.	24 Apr 2025	Rancher v2.11.1, v2.10.5, v2.9.9, and v2.8.15
CVE-2025-23391	A vulnerability has been identified within Rancher where a Restricted Administrator can change the password of Administrators and take over their accounts. A Restricted Administrator should not be allowed to change the password of more privileged users unless it contains the Manage Users permissions. A new validation has been added to block a user from editing or deleting another user with more permissions than themselves. Rancher deployments where the Restricted Administrator role is not being used are not affected by this CVE.	31 Mar 2025	Rancher v2.11.0, v2.10.4, v2.9.8 and v2.8.14
CVE-2025-23389	A vulnerability in Rancher has been discovered, leading to a local user impersonation through SAML Authentication on first login. The issue occurs when a SAML authentication provider (AP) is configured (e.g. Keycloak). A newly created AP user can impersonate any user on Rancher by manipulating cookie values during their initial login to Rancher. This vulnerability could also be exploited if a Rancher user (present on the AP) is removed, either manually or automatically via the User Retention feature with delete-inactive-user-after	27 Feb 2025	Rancher v2.10.3, v2.9.7 and v2.8.13
CVE-2025-23388	An unauthenticated stack overflow crash, leading to a denial of service (DoS), was identified in Rancher’s `/v3-public/authproviders` public API endpoint. A malicious user could submit data to the API which would cause the Rancher server to crash, but no malicious or incorrect data would actually be written in the API. The downstream clusters, i.e., the clusters managed by Rancher, are not affected by this issue. This vulnerability affects those using external authentication providers as well as Rancher’s local authentication.	27 Feb 2025	Rancher v2.10.3, v2.9.7 and v2.8.13
CVE-2025-23387	A vulnerability has been identified within Rancher where it is possible for an unauthenticated user to list all CLI authentication tokens and delete them before the CLI is able to get the token value. This effectively prevents users from logging in via the CLI when using rancher token as the execution command (instead of the token directly being in the kubeconfig). Note that this token is not the kubeconfig token and if an attacker is able to intercept it they can’t use it to impersonate a real user since it is encrypted.	27 Feb 2025	Rancher v2.10.3, v2.9.7 and v2.8.13
CVE-2024-52281	A high severity vulnerability was identified within the Rancher UI that allows a malicious actor to perform a Stored XSS attack through the cluster description field.	15 Jan 2025	Rancher v2.9.4 and v2.10.0
CVE-2024-52282	A medium severity vulnerability was discovered within Rancher Manager whereby applications installed via Rancher Manager Apps Catalog store their Helm values directly into the Apps Custom Resource Definition, resulting in any users with GET access to it to be able to read any sensitive information that are contained within the Apps’ values. Additionally, the same information leaks into auditing logs when the audit level is set to equal or above 2. Rancher v2.7 is vulnerable and hasn’t received the fix.	19 Nov 2024	Rancher v2.9.4 and v2.8.10
CVE-2024-22036	A critical severity vulnerability was discovered within Rancher where a cluster or node driver can be used to escape the `chroot` jail and gain root access to the Rancher container itself. In production environments, further privilege escalation is possible based on living off the land within the Rancher container itself. For test and development environments, based on a –privileged Docker container, it is possible to escape the Docker container and gain execution access on the host system.	24 Oct 2024	Rancher v2.9.3, v2.8.9 and v2.7.16
CVE-2023-32197	A critical severity vulnerability was discovered whereby Rancher Manager deployments containing Windows nodes have weak Access Control Lists (ACL), allowing `BUILTIN\Users` or `NT AUTHORITY\Authenticated Users` to view or edit sensitive files which could lead to privilege escalation. This vulnerability is exclusive to deployments that contain Windows nodes. Linux-only environments are not affected by it. Rancher v2.7 is vulnerable and hasn’t received the fix.	24 Oct 2024	Rancher v2.9.3 and v2.8.9
CVE-2022-45157	A critical severity vulnerability was discovered in the way that Rancher stores vSphere’s CPI (Cloud Provider Interface) and CSI (Container Storage Interface) credentials used to deploy clusters through the vSphere cloud provider. This issue leads to the vSphere CPI and CSI passwords being stored in a plaintext object inside Rancher. This vulnerability is only applicable to users that deploy clusters in vSphere environments. Rancher v2.7 is vulnerable and hasn’t received the fix.	24 Oct 2024	Rancher v2.9.3 and v2.8.9
CVE-2024-22030	A high severity vulnerability was discovered in Rancher’s agents that under very specific circumstances allows a malicious actor to take over existing Rancher nodes. The attacker needs to have control of an expired domain or execute a DNS spoofing/hijacking attack against the domain in order to exploit this vulnerability. The targeted domain is the one used as the Rancher URL (the `server-url` of the Rancher cluster).	19 Sep 2024	Rancher v2.9.2, v2.8.8 and v2.7.15
CVE-2024-22032	An issue was discovered in Rancher versions up to and including 2.7.13 and 2.8.4, where custom secrets encryption configurations are stored in plaintext under the clusters `AppliedSpec`. This also causes clusters to continuously reconcile, as the `AppliedSpec` would never match the desired cluster `Spec`. The stored information contains the encryption configuration for secrets within etcd, and could potentially expose sensitive data if the etcd database was exposed directly.	17 Jun 2024	Rancher v2.8.5 and v2.7.14
CVE-2023-32196	An issue was discovered in Rancher versions up to and including 2.7.13 and 2.8.4, where the webhook rule resolver ignores rules from a `ClusterRole` for an external `RoleTemplate` set with `.context=project` or `.context=""`. This allows a user to create an external `ClusterRole` with `.context=project` or `.context=""`, depending on the use of the new feature flag `external-rules` and backing `ClusterRole`.	17 Jun 2024	Rancher v2.8.5 and v2.7.14
CVE-2023-22650	An issue was discovered in Rancher versions up to and including 2.7.13 and 2.8.4, where Rancher did not have a user retention process for when external authentication providers are used, that could be configured to run periodically and disable and/or delete inactive users. The new user retention process added in Rancher v2.8.5 and Rancher v2.7.14 is disabled by default. If enabled, a user becomes subject to the retention process if they don’t log in for a configurable period of time. It’s possible to set overrides for user accounts that are primarily intended for programmatic access (e.g. CI, scripts, etc.) so that they don’t become subject to the retention process for a longer period of time or at all.	17 Jun 2024	Rancher v2.8.5 and v2.7.14
CVE-2023-32191	An issue was discovered in Rancher versions up to and including 2.7.13 and 2.8.4, in which supported RKE versions store credentials inside a ConfigMap that can be accessible by non-administrative users in Rancher. This vulnerability only affects an RKE-provisioned cluster.	17 Jun 2024	Rancher v2.8.5 and v2.7.14
CVE-2023-32193	在 Rancher 2.6.13、2.7.9 和 2.8.1 及之前的版本中发现了一个问题。多个 Cross-Site Scripting (XSS) 漏洞可通过 Rancher UI (Norman) 进行利用。	2024 年 2 月 8 日	Rancher v2.8.2、https://github.com/rancher/rancher/releases/tag/v2.7.10[v2.7.10] 和 v2.6.14
CVE-2023-32192	在 Rancher 2.6.13、2.7.9 和 2.8.1 及之前的版本中发现了一个问题。多个 Cross-Site Scripting (XSS) 漏洞，可以通过 Rancher UI (Apiserver) 进行利用	2024 年 2 月 8 日	Rancher v2.8.2、https://github.com/rancher/rancher/releases/tag/v2.7.10[v2.7.10] 和 v2.6.14
CVE-2023-22649	在 Rancher 2.6.13、2.7.9 和 2.8.1 及之前的版本中发现了一个问题。敏感数据可能会泄漏到 Rancher 的审计日志中。	2024 年 2 月 8 日	Rancher v2.8.2、https://github.com/rancher/rancher/releases/tag/v2.7.10[v2.7.10] 和 v2.6.14
CVE-2023-32194	在 Rancher 2.6.13、2.7.9 和 2.8.1 及之前的版本中发现了一个问题。当为 “namespace” 资源类型授予 `create` 或 `*` 全局角色时，任何 API 组中拥有权限的用户可以管理核心 API 组中的 namespace。	2024 年 2 月 8 日	Rancher v2.8.2、https://github.com/rancher/rancher/releases/tag/v2.7.10[v2.7.10] 和 v2.6.14

CVE-2023-32198

A vulnerability was found where users with permission to create a service in the Kubernetes cluster where Rancher is deployed can take over the Rancher UI, display their own UI, and gather sensitive information. This is only possible when the setting ui-offline-preferred is set to remote. This release introduces a patch, and the malicious user can no longer serve their own UI. If users can’t upgrade, please make sure that only trustable users have access to create a service in the local cluster.

24 Apr 2025

Rancher v2.11.1, v2.10.5, v2.9.9, and v2.8.15

CVE-2025-23391

A vulnerability has been identified within Rancher where a Restricted Administrator can change the password of Administrators and take over their accounts. A Restricted Administrator should not be allowed to change the password of more privileged users unless it contains the Manage Users permissions. A new validation has been added to block a user from editing or deleting another user with more permissions than themselves. Rancher deployments where the Restricted Administrator role is not being used are not affected by this CVE.

31 Mar 2025

Rancher v2.11.0, v2.10.4, v2.9.8 and v2.8.14

CVE-2025-23389

A vulnerability in Rancher has been discovered, leading to a local user impersonation through SAML Authentication on first login.

The issue occurs when a SAML authentication provider (AP) is configured (e.g. Keycloak). A newly created AP user can impersonate any user on Rancher by manipulating cookie values during their initial login to Rancher. This vulnerability could also be exploited if a Rancher user (present on the AP) is removed, either manually or automatically via the User Retention feature with delete-inactive-user-after

27 Feb 2025

Rancher v2.10.3, v2.9.7 and v2.8.13

CVE-2025-23388

An unauthenticated stack overflow crash, leading to a denial of service (DoS), was identified in Rancher’s /v3-public/authproviders public API endpoint. A malicious user could submit data to the API which would cause the Rancher server to crash, but no malicious or incorrect data would actually be written in the API. The downstream clusters, i.e., the clusters managed by Rancher, are not affected by this issue.

This vulnerability affects those using external authentication providers as well as Rancher’s local authentication.

27 Feb 2025

Rancher v2.10.3, v2.9.7 and v2.8.13

CVE-2025-23387

A vulnerability has been identified within Rancher where it is possible for an unauthenticated user to list all CLI authentication tokens and delete them before the CLI is able to get the token value. This effectively prevents users from logging in via the CLI when using rancher token as the execution command (instead of the token directly being in the kubeconfig).

Note that this token is not the kubeconfig token and if an attacker is able to intercept it they can’t use it to impersonate a real user since it is encrypted.

27 Feb 2025

Rancher v2.10.3, v2.9.7 and v2.8.13

CVE-2024-52281

A high severity vulnerability was identified within the Rancher UI that allows a malicious actor to perform a Stored XSS attack through the cluster description field.

15 Jan 2025

Rancher v2.9.4 and v2.10.0

CVE-2024-52282

A medium severity vulnerability was discovered within Rancher Manager whereby applications installed via Rancher Manager Apps Catalog store their Helm values directly into the Apps Custom Resource Definition, resulting in any users with GET access to it to be able to read any sensitive information that are contained within the Apps’ values. Additionally, the same information leaks into auditing logs when the audit level is set to equal or above 2. Rancher v2.7 is vulnerable and hasn’t received the fix.

19 Nov 2024

Rancher v2.9.4 and v2.8.10

CVE-2024-22036

A critical severity vulnerability was discovered within Rancher where a cluster or node driver can be used to escape the chroot jail and gain root access to the Rancher container itself. In production environments, further privilege escalation is possible based on living off the land within the Rancher container itself. For test and development environments, based on a –privileged Docker container, it is possible to escape the Docker container and gain execution access on the host system.

24 Oct 2024

Rancher v2.9.3, v2.8.9 and v2.7.16

CVE-2023-32197

A critical severity vulnerability was discovered whereby Rancher Manager deployments containing Windows nodes have weak Access Control Lists (ACL), allowing BUILTIN\Users or NT AUTHORITY\Authenticated Users to view or edit sensitive files which could lead to privilege escalation. This vulnerability is exclusive to deployments that contain Windows nodes. Linux-only environments are not affected by it. Rancher v2.7 is vulnerable and hasn’t received the fix.

24 Oct 2024

Rancher v2.9.3 and v2.8.9

CVE-2022-45157

A critical severity vulnerability was discovered in the way that Rancher stores vSphere’s CPI (Cloud Provider Interface) and CSI (Container Storage Interface) credentials used to deploy clusters through the vSphere cloud provider. This issue leads to the vSphere CPI and CSI passwords being stored in a plaintext object inside Rancher. This vulnerability is only applicable to users that deploy clusters in vSphere environments. Rancher v2.7 is vulnerable and hasn’t received the fix.

24 Oct 2024

Rancher v2.9.3 and v2.8.9

CVE-2024-22030

A high severity vulnerability was discovered in Rancher’s agents that under very specific circumstances allows a malicious actor to take over existing Rancher nodes. The attacker needs to have control of an expired domain or execute a DNS spoofing/hijacking attack against the domain in order to exploit this vulnerability. The targeted domain is the one used as the Rancher URL (the server-url of the Rancher cluster).

19 Sep 2024

Rancher v2.9.2, v2.8.8 and v2.7.15

CVE-2024-22032

An issue was discovered in Rancher versions up to and including 2.7.13 and 2.8.4, where custom secrets encryption configurations are stored in plaintext under the clusters AppliedSpec. This also causes clusters to continuously reconcile, as the AppliedSpec would never match the desired cluster Spec. The stored information contains the encryption configuration for secrets within etcd, and could potentially expose sensitive data if the etcd database was exposed directly.

17 Jun 2024

Rancher v2.8.5 and v2.7.14

CVE-2023-32196

An issue was discovered in Rancher versions up to and including 2.7.13 and 2.8.4, where the webhook rule resolver ignores rules from a ClusterRole for an external RoleTemplate set with .context=project or .context="". This allows a user to create an external ClusterRole with .context=project or .context="", depending on the use of the new feature flag external-rules and backing ClusterRole.

17 Jun 2024

Rancher v2.8.5 and v2.7.14

CVE-2023-22650

An issue was discovered in Rancher versions up to and including 2.7.13 and 2.8.4, where Rancher did not have a user retention process for when external authentication providers are used, that could be configured to run periodically and disable and/or delete inactive users. The new user retention process added in Rancher v2.8.5 and Rancher v2.7.14 is disabled by default. If enabled, a user becomes subject to the retention process if they don’t log in for a configurable period of time. It’s possible to set overrides for user accounts that are primarily intended for programmatic access (e.g. CI, scripts, etc.) so that they don’t become subject to the retention process for a longer period of time or at all.

17 Jun 2024

Rancher v2.8.5 and v2.7.14

CVE-2023-32191

An issue was discovered in Rancher versions up to and including 2.7.13 and 2.8.4, in which supported RKE versions store credentials inside a ConfigMap that can be accessible by non-administrative users in Rancher. This vulnerability only affects an RKE-provisioned cluster.

17 Jun 2024

Rancher v2.8.5 and v2.7.14

CVE-2023-32193

在 Rancher 2.6.13、2.7.9 和 2.8.1 及之前的版本中发现了一个问题。多个 Cross-Site Scripting (XSS) 漏洞可通过 Rancher UI (Norman) 进行利用。

2024 年 2 月 8 日

Rancher v2.8.2、https://github.com/rancher/rancher/releases/tag/v2.7.10[v2.7.10] 和 v2.6.14

CVE-2023-32192

在 Rancher 2.6.13、2.7.9 和 2.8.1 及之前的版本中发现了一个问题。多个 Cross-Site Scripting (XSS) 漏洞，可以通过 Rancher UI (Apiserver) 进行利用

2024 年 2 月 8 日

Rancher v2.8.2、https://github.com/rancher/rancher/releases/tag/v2.7.10[v2.7.10] 和 v2.6.14

CVE-2023-22649

在 Rancher 2.6.13、2.7.9 和 2.8.1 及之前的版本中发现了一个问题。敏感数据可能会泄漏到 Rancher 的审计日志中。

2024 年 2 月 8 日

Rancher v2.8.2、https://github.com/rancher/rancher/releases/tag/v2.7.10[v2.7.10] 和 v2.6.14

CVE-2023-32194

在 Rancher 2.6.13、2.7.9 和 2.8.1 及之前的版本中发现了一个问题。当为 “namespace” 资源类型授予 create 或 * 全局角色时，任何 API 组中拥有权限的用户可以管理核心 API 组中的 namespace。

2024 年 2 月 8 日

Rancher v2.8.2、https://github.com/rancher/rancher/releases/tag/v2.7.10[v2.7.10] 和 v2.6.14