CVE-2022-31249
[RANCHER] OS command injection in Rancher and Fleet
In short
Rancher's Wrangler component fails to properly validate user input, allowing attackers to inject malicious operating system commands. These injected commands execute with the privileges of the Rancher service, potentially giving attackers full control of the underlying host.
Technical detail
OS command injection vulnerability in Wrangler allows unauthenticated remote attackers to execute arbitrary OS commands on the host system via specially crafted input passed to command processing functions. The vulnerability stems from improper sanitization of user-supplied data before passing it to OS command execution APIs, affecting versions 0.7.3, 0.8.4, and 1.0.0 and prior.
Summary generated and translated by AI from the official description.
A Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in wrangler of SUSE Rancher allows remote attackers to inject commands in the underlying host via crafted commands passed to Wrangler. This issue affects: SUSE Rancher wrangler version 0.7.3 and prior versions; wrangler version 0.8.4 and prior versions; wrangler version 1.0.0 and prior versions.
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected products
SUSE · RancherWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →