CVE-2022-43760
📋 TL;DR
This stored XSS vulnerability in SUSE Rancher allows authenticated users with write permissions to inject malicious scripts that execute in administrators' browsers when they view affected pages. Attackers can steal sensitive information, manipulate web content, or perform actions as administrators. Affects Rancher versions 2.6.0-2.6.12 and 2.7.0-2.7.3.
💻 Affected Systems
- SUSE Rancher
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Privilege escalation where an attacker with write access gains full administrative control, leading to complete cluster compromise, data exfiltration, or ransomware deployment.
Likely Case
Session hijacking and credential theft allowing attackers to perform unauthorized actions as administrators, potentially modifying cluster configurations or accessing sensitive data.
If Mitigated
Limited impact with proper network segmentation, strong authentication, and monitoring, though some data exposure may still occur.
🎯 Exploit Status
Exploitation requires authenticated user with write permissions and administrator interaction with injected content.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Rancher 2.6.13, Rancher 2.7.4
Vendor Advisory: https://github.com/rancher/rancher/security/advisories/GHSA-46v3-ggjg-qq3x
Restart Required: Yes
Instructions:
1. Backup Rancher configuration and data. 2. Update to Rancher 2.6.13 or 2.7.4 using your deployment method (Helm, Docker, RKE). 3. Restart Rancher components. 4. Verify upgrade completion and functionality.
🔧 Temporary Workarounds
Restrict User Permissions
allLimit write permissions to trusted users only and implement principle of least privilege.
Content Security Policy
allImplement strict CSP headers to mitigate XSS impact.
🧯 If You Can't Patch
- Implement network segmentation to isolate Rancher management interface from untrusted networks.
- Enable detailed logging and monitoring for suspicious user activities and script injection attempts.
🔍 How to Verify
Check if Vulnerable:
Check Rancher version via UI (Global Settings -> About) or API endpoint /v3/settings/server-version.Check Version:
kubectl get settings.management.cattle.io server-version -o yaml | grep valueVerify Fix Applied:
Confirm version is 2.6.13 or higher for 2.6.x branch, or 2.7.4 or higher for 2.7.x branch.📡 Detection & Monitoring
Log Indicators:
- Unusual POST/PUT requests to Rancher UI endpoints, unexpected JavaScript in stored content, privilege escalation attempts
Network Indicators:
- Suspicious outbound connections from Rancher UI to external domains, unusual authentication patterns
SIEM Query:
source="rancher" AND (event="content_modification" OR event="privilege_escalation_attempt")