x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-gc62-j469-9gjm

[GoVulnBot]

In GitHub Security Advisory GHSA-gc62-j469-9gjm, there is a vulnerability in the following Go packages or modules:

Unit	Fixed	Vulnerable Ranges
github.com/rancher/rancher	1.6.27	< 1.6.27	github.com/rancher/rancher	2.2.4	>= 2.0.0, < 2.2.4

Cross references:

• Module github.com/rancher/rancher appears in issue #439 EFFECTIVELY_PRIVATE
• Module github.com/rancher/rancher appears in issue #464 EFFECTIVELY_PRIVATE
• Module github.com/rancher/rancher appears in issue #551 EFFECTIVELY_PRIVATE
• Module github.com/rancher/rancher appears in issue #605 EFFECTIVELY_PRIVATE
• Module github.com/rancher/rancher appears in issue #610 EFFECTIVELY_PRIVATE
• Module github.com/rancher/rancher appears in issue #644 EFFECTIVELY_PRIVATE
• Module github.com/rancher/rancher appears in issue #973 EFFECTIVELY_PRIVATE
• Module github.com/rancher/rancher appears in issue #974 EFFECTIVELY_PRIVATE
• Module github.com/rancher/rancher appears in issue #975 EFFECTIVELY_PRIVATE
• Module github.com/rancher/rancher appears in issue #1511 EFFECTIVELY_PRIVATE
• Module github.com/rancher/rancher appears in issue #1513 EFFECTIVELY_PRIVATE
• Module github.com/rancher/rancher appears in issue #1514 EFFECTIVELY_PRIVATE
• Module github.com/rancher/rancher appears in issue #1516 EFFECTIVELY_PRIVATE
• Module github.com/rancher/rancher appears in issue #1517 EFFECTIVELY_PRIVATE
• Module github.com/rancher/rancher appears in issue #1518 EFFECTIVELY_PRIVATE
• Module github.com/rancher/rancher appears in issue #1736 EFFECTIVELY_PRIVATE
• Module github.com/rancher/rancher appears in issue #1814 EFFECTIVELY_PRIVATE
• Module github.com/rancher/rancher appears in issue #1815 EFFECTIVELY_PRIVATE
• Module github.com/rancher/rancher appears in issue #1816 EFFECTIVELY_PRIVATE
• Module github.com/rancher/rancher appears in issue #1825 EFFECTIVELY_PRIVATE
• Module github.com/rancher/rancher appears in issue #1905 EFFECTIVELY_PRIVATE
• Module github.com/rancher/rancher appears in issue #1973 EFFECTIVELY_PRIVATE
• Module github.com/rancher/rancher appears in issue #755

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/rancher/rancher
      versions:
        - fixed: 1.6.27
      vulnerable_at: 1.6.27-rc1
      packages:
        - package: github.com/rancher/rancher
    - module: github.com/rancher/rancher
      versions:
        - introduced: 2.0.0
          fixed: 2.2.4
      vulnerable_at: 2.2.4-rc9+incompatible
      packages:
        - package: github.com/rancher/rancher
summary: Rancher Privilege Escalation Vulnerability
description: |-
    In Rancher 1 and 2 through 2.2.3, unprivileged users (if allowed to deploy
    nodes) can gain admin access to the Rancher management plane because node driver
    options intentionally allow posting certain data to the cloud. The problem is
    that a user could choose to post a sensitive file such as /root/.kube/config or
    /var/lib/rancher/management-state/cred/kubeconfig-system.yaml.
cves:
    - CVE-2019-12274
ghsas:
    - GHSA-gc62-j469-9gjm
references:
    - web: https://nvd.nist.gov/vuln/detail/CVE-2019-12274
    - web: https://forums.rancher.com/t/rancher-release-v2-2-4-addresses-rancher-cve-2019-12274-and-cve-2019-12303/14466
    - advisory: https://github.com/advisories/GHSA-gc62-j469-9gjm

[gopherbot]

Change https://go.dev/cl/516055 mentions this issue: data/excluded: batch add 10 excluded reports

[gopherbot]

Change https://go.dev/cl/592762 mentions this issue: data/reports: unexclude 75 reports

[gopherbot]

Change https://go.dev/cl/606789 mentions this issue: data/reports: unexclude 20 reports (9)