Improper Authentication Affecting github.com/rancher/rancher/pkg/controllers/management/auth package, versions >=2.0.0 <2.0.14 >=2.1.0 <2.1.9 >=2.2.0 <2.2.2
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-GOLANG-GITHUBCOMRANCHERRANCHERPKGCONTROLLERSMANAGEMENTAUTH-6673735
- published 25 Apr 2024
- disclosed 24 May 2022
- credit Unknown
Introduced: 24 May 2022
CVE-2019-11202 Open this link in a new tabHow to fix?
Upgrade github.com/rancher/rancher/pkg/controllers/management/auth to version 2.0.14, 2.1.9, 2.2.2 or higher.
Overview
Affected versions of this package are vulnerable to Improper Authentication. When Rancher starts for the first time, it creates a default admin user with a well-known password. After initial setup, the Rancher administrator may choose to delete this default admin user. If Rancher is restarted, the default admin user will be recreated with the well-known default password. An attacker could exploit this by logging in with the default admin credentials.
Note:
This can be mitigated by deactivating the default admin user rather than completely deleting them.