Insertion of Sensitive Information into Log File Affecting github.com/rancher/rancher package, versions >=2.6.0 <2.6.14 >=2.7.0 <2.7.10 >=2.8.0 <2.8.2
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-GOLANG-GITHUBCOMRANCHERRANCHER-6239654
- published 9 Feb 2024
- disclosed 8 Feb 2024
- credit Unknown
Introduced: 8 Feb 2024
CVE-2023-22649 Open this link in a new tabHow to fix?
Upgrade github.com/rancher/rancher to version 2.6.14, 2.7.10, 2.8.2 or higher.
Overview
Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File via the "Rancher Audit Logging" feature. An attacker can access sensitive information by exploiting the logging of sensitive data such as HTTP headers, API server calls, and raw command lines used by agents. This is only exploitable if the AUDIT_LEVEL is set to 1 or above and the Audit Logging feature is enabled.
Workaround
This vulnerability can be mitigated by ensuring that the log is handled appropriately and it is not shared with other users or shipped into a log ingestion solution without the appropriate RBAC enforcement. Alternatively, disabling the Audit feature or decreasing it to the audit level 0, mitigates the issue.