CVE-2025-23387
📋 TL;DR
This vulnerability allows unauthenticated attackers to list and delete CLI authentication tokens in SUSE Rancher before the CLI can retrieve them. This affects Rancher versions 2.8.0-2.8.12, 2.9.0-2.9.6, and 2.10.0-2.10.2. The exposure of sensitive token information could lead to authentication disruption.
💻 Affected Systems
- SUSE Rancher
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could delete all CLI authentication tokens, disrupting automated operations and administrative access, potentially causing service outages and operational impact.
Likely Case
Unauthenticated users could enumerate CLI tokens and selectively delete them, causing intermittent authentication failures for CLI users and automated systems.
If Mitigated
With proper network segmentation and authentication controls, impact is limited to internal users who might experience temporary CLI authentication issues.
🎯 Exploit Status
The vulnerability requires no authentication and involves simple HTTP requests to list/delete tokens.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.8.13, 2.9.7, 2.10.3
Vendor Advisory: https://github.com/rancher/rancher/security/advisories/GHSA-5qmp-9x47-92q8
Restart Required: Yes
Instructions:
1. Backup your Rancher configuration and data. 2. Upgrade to Rancher 2.8.13, 2.9.7, or 2.10.3 depending on your current version. 3. Restart Rancher services. 4. Verify the upgrade was successful.
🔧 Temporary Workarounds
Network Access Restriction
linuxRestrict network access to Rancher management interface to trusted IP addresses only.
iptables -A INPUT -p tcp --dport 443 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Rancher management interface from untrusted networks.
- Monitor for unusual token deletion activities and implement alerting for authentication failures.
🔍 How to Verify
Check if Vulnerable:
Check Rancher version via kubectl get pods -n cattle-system -l app=rancher -o jsonpath='{.items[0].spec.containers[0].image}'Check Version:
kubectl get pods -n cattle-system -l app=rancher -o jsonpath='{.items[0].spec.containers[0].image}' | grep -o 'rancher/rancher:v[0-9.]*'Verify Fix Applied:
Confirm version is 2.8.13, 2.9.7, or 2.10.3 using the same command and test that unauthenticated token listing/deletion is no longer possible.📡 Detection & Monitoring
Log Indicators:
- Unauthenticated requests to token endpoints
- Unexpected token deletion events
- Increased authentication failures for CLI users
Network Indicators:
- Unusual HTTP GET/DELETE requests to /v3/tokens endpoints from unauthenticated sources
SIEM Query:
source="rancher" AND (uri_path="/v3/tokens" AND (http_method="GET" OR http_method="DELETE") AND user="anonymous")