{"id":"CVE-2019-13209","details":"Rancher 2 through 2.2.4 is vulnerable to a Cross-Site Websocket Hijacking attack that allows an exploiter to gain access to clusters managed by Rancher. The attack requires a victim to be logged into a Rancher server, and then to access a third-party site hosted by the exploiter. Once that is accomplished, the exploiter is able to execute commands against the cluster's Kubernetes API with the permissions and identity of the victim.","aliases":["GHSA-xhg2-rvm8-w2jh","GO-2022-0755"],"modified":"2026-04-11T21:44:58.298561Z","published":"2019-09-04T14:15:11.200Z","references":[{"type":"ADVISORY","url":"https://forums.rancher.com/c/announcements"},{"type":"ADVISORY","url":"https://forums.rancher.com/t/rancher-release-v2-2-5-addresses-rancher-cve-2019-13209/14801"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/rancher/rancher","events":[{"introduced":"14c6b3e8f903814c1bb9364187fb8193e33e7a82"},{"last_affected":"d353330b7f8432f8d7f252fbb6baf72d7b86037d"}],"database_specific":{"cpe":"cpe:2.3:a:suse:rancher:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"2.0.0"},{"last_affected":"2.2.4"}],"source":"CPE_FIELD"}}],"versions":["v2.0.0","v2.0.0-rc5","v2.0.1","v2.0.1-rc1","v2.0.1-rc2","v2.0.1-rc3","v2.0.1-rc4","v2.0.1-rc5","v2.0.1-rc6","v2.0.2","v2.0.2-rc1","v2.0.3","v2.0.3-rc1","v2.0.3-rc2","v2.0.3-rc3","v2.0.3-rc4","v2.0.3-rc5","v2.0.4","v2.0.4-rc1","v2.0.5","v2.0.5-rc1","v2.0.5-rc2","v2.0.5-rc3","v2.0.5-rc4","v2.0.5-rc5","v2.0.5-rc6","v2.0.6","v2.0.6-rc1","v2.0.6-rc2","v2.0.7","v2.0.7-rc1","v2.0.7-rc2","v2.0.7-rc3","v2.0.7-rc4","v2.0.7-rc5","v2.0.7-rc6","v2.0.8-rc2","v2.1.0","v2.1.0-rc1","v2.1.0-rc10","v2.1.0-rc2","v2.1.0-rc3","v2.1.0-rc4","v2.1.0-rc5","v2.1.0-rc6","v2.1.0-rc7","v2.1.0-rc8","v2.1.0-rc9","v2.2.0","v2.2.0-rc1","v2.2.0-rc10","v2.2.0-rc11","v2.2.0-rc12","v2.2.0-rc13","v2.2.0-rc14","v2.2.0-rc15","v2.2.0-rc2","v2.2.0-rc3","v2.2.0-rc4","v2.2.0-rc5","v2.2.0-rc6","v2.2.0-rc7","v2.2.0-rc8","v2.2.0-rc9","v2.2.1","v2.2.1-rc1","v2.2.2","v2.2.2-rc1","v2.2.2-rc10","v2.2.2-rc11","v2.2.2-rc12","v2.2.2-rc13","v2.2.2-rc14","v2.2.2-rc2","v2.2.2-rc3","v2.2.2-rc4","v2.2.2-rc5","v2.2.2-rc6","v2.2.2-rc7","v2.2.2-rc8","v2.2.2-rc9","v2.2.3-rc1","v2.2.3-rc2","v2.2.3-rc3","v2.2.3-rc4","v2.2.3-rc5","v2.2.3-rc6","v2.2.3-rc7","v2.2.3-rc8","v2.2.3-rc9","v2.2.4","v2.2.4-rc1","v2.2.4-rc10","v2.2.4-rc11","v2.2.4-rc12","v2.2.4-rc13","v2.2.4-rc14","v2.2.4-rc15","v2.2.4-rc16","v2.2.4-rc17","v2.2.4-rc18","v2.2.4-rc19","v2.2.4-rc2","v2.2.4-rc20","v2.2.4-rc21","v2.2.4-rc22","v2.2.4-rc23","v2.2.4-rc3","v2.2.4-rc4","v2.2.4-rc5","v2.2.4-rc6","v2.2.4-rc7","v2.2.4-rc8","v2.2.4-rc9"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-13209.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}