x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-h4h5-9833-v2p4

Advisory GHSA-h4h5-9833-v2p4 references a vulnerability in the following Go modules:

Module
github.com/rancher/rancher

Description:

Impact

A vulnerability has been identified within Rancher that can be exploited in narrow circumstances through a man-in-the-middle (MITM) attack. An attacker would need to have control of an expired domain or execute a DNS spoofing/hijacking attack against the domain to exploit this vulnerability. The targeted domain is the one used as the Rancher URL.

SUSE is unaware of any successful exploitation of this vulnerability, which has a high complexity bar.

Please consult the associated MITRE ATT&CK - Technique - Adversary-in-the-Middle for fu...

References:

Cross references:

github.com/rancher/rancher appears in 37 other report(s):
- data/excluded/GO-2022-0439.yaml (https://github.com/golang/vulndb/issues/439) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-0464.yaml (https://github.com/golang/vulndb/issues/464) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-0551.yaml (https://github.com/golang/vulndb/issues/551) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-0605.yaml (https://github.com/golang/vulndb/issues/605) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-0610.yaml (https://github.com/golang/vulndb/issues/610) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-0973.yaml (https://github.com/golang/vulndb/issues/973) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-0974.yaml (https://github.com/golang/vulndb/issues/974) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-0975.yaml (https://github.com/golang/vulndb/issues/975) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1511.yaml (https://github.com/golang/vulndb/issues/1511) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1513.yaml (https://github.com/golang/vulndb/issues/1513) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1514.yaml (https://github.com/golang/vulndb/issues/1514) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1516.yaml (https://github.com/golang/vulndb/issues/1516) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1517.yaml (https://github.com/golang/vulndb/issues/1517) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1518.yaml (https://github.com/golang/vulndb/issues/1518) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1736.yaml (https://github.com/golang/vulndb/issues/1736) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1814.yaml (https://github.com/golang/vulndb/issues/1814) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1815.yaml (https://github.com/golang/vulndb/issues/1815) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1816.yaml (https://github.com/golang/vulndb/issues/1816) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1825.yaml (https://github.com/golang/vulndb/issues/1825) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1905.yaml (https://github.com/golang/vulndb/issues/1905) EFFECTIVELY_PRIVATE
- data/reports/GO-2022-0644.yaml (https://github.com/golang/vulndb/issues/644)
- data/reports/GO-2022-0755.yaml (https://github.com/golang/vulndb/issues/755)
- data/reports/GO-2023-1973.yaml (https://github.com/golang/vulndb/issues/1973)
- data/reports/GO-2023-1991.yaml (https://github.com/golang/vulndb/issues/1991)
- data/reports/GO-2024-2535.yaml (https://github.com/golang/vulndb/issues/2535)
- data/reports/GO-2024-2537.yaml (https://github.com/golang/vulndb/issues/2537)
- data/reports/GO-2024-2760.yaml (https://github.com/golang/vulndb/issues/2760)
- data/reports/GO-2024-2761.yaml (https://github.com/golang/vulndb/issues/2761)
- data/reports/GO-2024-2762.yaml (https://github.com/golang/vulndb/issues/2762)
- data/reports/GO-2024-2764.yaml (https://github.com/golang/vulndb/issues/2764)
- data/reports/GO-2024-2768.yaml (https://github.com/golang/vulndb/issues/2768)
- data/reports/GO-2024-2771.yaml (https://github.com/golang/vulndb/issues/2771)
- data/reports/GO-2024-2778.yaml (https://github.com/golang/vulndb/issues/2778)
- data/reports/GO-2024-2784.yaml (https://github.com/golang/vulndb/issues/2784)
- data/reports/GO-2024-2929.yaml (https://github.com/golang/vulndb/issues/2929)
- data/reports/GO-2024-2931.yaml (https://github.com/golang/vulndb/issues/2931)
- data/reports/GO-2024-2932.yaml (https://github.com/golang/vulndb/issues/2932)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/rancher/rancher
      non_go_versions:
        - introduced: 2.7.0
        - fixed: 2.7.15
        - introduced: 2.8.0
        - fixed: 2.8.8
        - introduced: 2.9.0
        - fixed: 2.9.2
      vulnerable_at: 1.6.30
summary: Rancher agents can be hijacked by taking over the Rancher Server URL in github.com/rancher/rancher
cves:
    - CVE-2024-22030
ghsas:
    - GHSA-h4h5-9833-v2p4
references:
    - advisory: https://github.com/advisories/GHSA-h4h5-9833-v2p4
    - advisory: https://github.com/rancher/rancher/security/advisories/GHSA-h4h5-9833-v2p4
    - web: https://github.com/rancherlabs/support-tools/tree/master/windows-agent-strict-verify
    - web: https://ranchermanager.docs.rancher.com/getting-started/installation-and-upgrade/installation-references/tls-settings
source:
    id: GHSA-h4h5-9833-v2p4
    created: 2024-09-26T22:01:31.300644642Z
review_status: UNREVIEWED

golang / vulndb

x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-h4h5-9833-v2p4 #3161

Impact