CVE-2022-43760 - OpenCVE

An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SUSE Rancher allows users in some higher-privileged groups to to inject code that is executed within another user's browser, allowing the attacker to steal sensitive information, manipulate web content, or perform other malicious activities on behalf of the victims. This could result in a user with write access to the affected areas being able to act on behalf of an administrator, once an administrator opens the affected web page. This issue affects Rancher: from >= 2.6.0 before < 2.6.13, from >= 2.7.0 before < 2.7.4.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Suse	Rancher

Configuration 1 [-]

OR	cpe:2.3:a:suse:rancher::::::::
	cpe:2.3:a:suse:rancher::::::::

No data.

References

Link	Providers
https://bugzilla.suse.com/show_bug.cgi?id=CVE-2022-43760
https://github.com/rancher/rancher/security/advisories/GHSA-46v3-ggjg-qq3x

History

No history.

MITRE

Status: PUBLISHED

Assigner: suse

Published: 2023-06-01T12:56:40.074Z

Updated: 2024-08-03T13:40:06.301Z

Reserved: 2022-10-26T06:52:18.766Z

Link: CVE-2022-43760

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2023-06-01T13:15:10.373

Modified: 2023-06-08T18:35:26.330

Link: CVE-2022-43760

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-43760", "assignerOrgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb", "state": "PUBLISHED", "assignerShortName": "suse", "dateReserved": "2022-10-26T06:52:18.766Z", "datePublished": "2023-06-01T12:56:40.074Z", "dateUpdated": "2024-08-03T13:40:06.301Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Rancher", "vendor": "SUSE", "versions": [{"lessThan": "< 2.6.13", "status": "affected", "version": ">= 2.6.0", "versionType": "2.6.13"}, {"lessThan": "< 2.7.4", "status": "affected", "version": ">= 2.7.0", "versionType": "2.7.4"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "https://github.com/bybit-sec"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<div>An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SUSE Rancher allows users in some higher-privileged groups to to inject code that is \nexecuted within another user's browser, allowing the attacker to steal \nsensitive information, manipulate web content, or perform other \nmalicious activities on behalf of the victims. This could result in a \nuser with write access to the affected areas being able to act on behalf\n of an administrator, once an administrator opens the affected web page.<br></div><p>This issue affects Rancher: from >= 2.6.0 before < 2.6.13, from >= 2.7.0 before < 2.7.4.</p>"}], "value": "An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SUSE Rancher allows users in some higher-privileged groups to to inject code that is \nexecuted within another user's browser, allowing the attacker to steal \nsensitive information, manipulate web content, or perform other \nmalicious activities on behalf of the victims. This could result in a \nuser with write access to the affected areas being able to act on behalf\n of an administrator, once an administrator opens the affected web page.\n\n\nThis issue affects Rancher: from >= 2.6.0 before < 2.6.13, from >= 2.7.0 before < 2.7.4.\n\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb", "shortName": "suse", "dateUpdated": "2023-06-01T12:56:40.074Z"}, "references": [{"url": "https://github.com/rancher/rancher/security/advisories/GHSA-46v3-ggjg-qq3x"}, {"url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2022-43760"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T13:40:06.301Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/rancher/rancher/security/advisories/GHSA-46v3-ggjg-qq3x", "tags": ["x_transferred"]}, {"url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2022-43760", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:suse:rancher:*:*:*:*:*:*:*:*", "matchCriteriaId": "1E9E01CC-9BB4-4A69-8F2D-ECCA9CF59580", "versionEndExcluding": "2.6.13", "versionStartIncluding": "2.6.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:suse:rancher:*:*:*:*:*:*:*:*", "matchCriteriaId": "82B60ABA-3389-45F0-9F45-4D4D0D4738BC", "versionEndExcluding": "2.7.4", "versionStartIncluding": "2.7.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SUSE Rancher allows users in some higher-privileged groups to to inject code that is \nexecuted within another user's browser, allowing the attacker to steal \nsensitive information, manipulate web content, or perform other \nmalicious activities on behalf of the victims. This could result in a \nuser with write access to the affected areas being able to act on behalf\n of an administrator, once an administrator opens the affected web page.\n\n\nThis issue affects Rancher: from >= 2.6.0 before < 2.6.13, from >= 2.7.0 before < 2.7.4.\n\n"}], "id": "CVE-2022-43760", "lastModified": "2023-06-08T18:35:26.330", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 6.0, "source": "meissner@suse.de", "type": "Secondary"}]}, "published": "2023-06-01T13:15:10.373", "references": [{"source": "meissner@suse.de", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2022-43760"}, {"source": "meissner@suse.de", "tags": ["Vendor Advisory"], "url": "https://github.com/rancher/rancher/security/advisories/GHSA-46v3-ggjg-qq3x"}], "sourceIdentifier": "meissner@suse.de", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "meissner@suse.de", "type": "Primary"}]}