{"id":"CVE-2021-31999","details":"A Reliance on Untrusted Inputs in a Security Decision vulnerability in Rancher allows users in the cluster to act as others users in the cluster by forging the \"Impersonate-User\" or \"Impersonate-Group\" headers. This issue affects: Rancher versions prior to 2.5.9. Rancher versions prior to 2.4.16.","aliases":["GHSA-pvxj-25m6-7vqr","GO-2024-2778"],"modified":"2026-05-18T21:06:45.425300Z","published":"2021-07-15T09:15:08.210Z","references":[{"type":"REPORT","url":"https://bugzilla.suse.com/show_bug.cgi?id=1187084"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/rancher/rancher","events":[{"introduced":"0"},{"fixed":"c29a771063e6926df6916990f1730e0574042ba8"},{"introduced":"65f3525cdc1167872af4140d45f3153698450c52"},{"fixed":"3c54189441fdac08fd4a1b3113216e085004f061"}],"database_specific":{"source":"CPE_FIELD","extracted_events":[{"introduced":"0"},{"fixed":"2.4.16"},{"introduced":"2.5.0"},{"fixed":"2.5.9"}],"cpe":"cpe:2.3:a:rancher:rancher:*:*:*:*:*:*:*:*"}}],"versions":["v2.4.16-rc1","v2.5.6-rc9","v2.5.6","v2.5.8-patch1","v2.4.16-rc5","v2.5.9-rc15","v2.4.16-rc4","v2.5.9-rc14","v2.4.16-rc3","v2.4.16-rc2","v2.5.9-rc13","v2.5.9-rc12","v2.5.9-rc11","v2.5.9-rc9","v2.5.9-rc10","v2.5.9-rc8","v2.5.9-rc7","v2.5.9-rc6","v2.5.9-rc5","v2.5.9-rc4","v2.5.9-rc3","v2.5.9-rc2","v2.5.9-rc1","v2.5.8-rc21","v2.5.8-rc20","v2.5.8","v2.5.8-rc18","v2.5.8-rc19","v2.5.8-rc17","v2.5.8-rc16","v2.5.8-rc15","v2.5.8-rc14","v2.5.8-rc13","v2.5.8-rc12","v2.5.8-rc11","v2.5.8-rc10","v2.5.8-rc9","v2.5.8-rc8","v2.5.8-rc3","v2.5.8-rc7","v2.5.8-rc6","v2.5.8-rc5","v2.5.8-rc4","v2.5.8-rc2","v2.5.6-rc5","v2.4.15","v2.4.14-rc4","v2.4.14-rc3","v2.4.14","v2.5.6-rc8","v2.5.6-rc7","v2.4.14-rc2","v2.5.6-rc6","v2.4.14-rc1","v2.5.6-rc4","v2.5.6-rc3","v2.4.13-rc6","v2.4.13","v2.4.13-rc5","v2.4.13-rc4","v2.5.6-rc2","v2.5.6-rc1","v2.4.13-rc3","v2.4.13-rc2","v2.4.13-rc1","v2.5.4-rc9","v2.5.4","v2.5.4-rc8","v2.4.9-rc4","v2.4.0-rc9","v2.5.4-rc7","v2.4.11-rc6","v2.4.11","v2.5.4-rc6","v2.5.4-rc5","v2.5.4-rc4","v2.5.4-rc3","v2.5.4-rc2","v2.5.4-rc1","v2.4.11-rc2","v2.4.11-rc5","v2.4.11-rc4","v2.4.11-rc3","v2.5.2-rc10","v2.5.2","v2.4.11-rc1","v2.4.9-rc12","v2.4.9","v2.4.10-rc1","v2.4.10","v2.5.2-rc9","v2.4.9-rc11","v2.5.2-rc8","v2.5.2-rc7","v2.4.9-rc10","v2.4.9-rc9","v2.5.2-rc6","v2.5.2-rc5","v2.5.2-rc4","v2.4.9-rc8","v2.4.9-rc7","v2.4.9-rc6","v2.4.9-rc5","v2.4.9-rc3","v2.4.9-rc2","v2.5.2-rc3","v2.5.1-rc1","v2.5.1","v2.5.2-rc1","v2.5.2-rc2","v2.5.2-rc","v2.4.9-rc1","v2.5.0-rc9","v2.5.0","v2.4.8-rc3","v2.4.8","v2.4.8-rc2","2.4.8-rc2","v2.4.8-rc1","v2.4.7","v2.4.7-rc3","v2.4.7-rc2","v2.4.7-rc1","v2.4.6-rc12","v2.4.6","v2.4.6-rc11","v2.4.6-rc10","v2.4.6-rc9","v2.4.6-rc8","v2.4.6-rc7","v2.4.6-rc6","v2.4.6-rc5","v2.4.6-rc4","v2.4.6-rc1","v2.4.6-rc3","v2.4.6-rc2","v2.4.5-rc5","v2.4.5-rc10","v2.4.5","v2.4.5-rc9","v2.4.5-rc8","v2.4.5-rc7","v2.4.5-rc6","v2.4.5-rc4","v2.4.5-rc3","v2.4.5-rc2","v2.4.5-rc1","v2.4.3","v2.4.4-rc1","v2.4.3-rc7","v2.4.3-rc6","v2.4.3-rc5","v2.4.3-rc4","v2.4.3-rc3","v2.4.3-rc2","v2.4.3-rc1","v2.4.2-rc3","v2.4.2","v2.4.2-rc2","v2.4.2-rc1","v2.4.1-rc2","v2.4.1-rc1","v2.4.0-rc18","v2.4.0","v2.4.0-rc17","v2.4.0-rc16","v2.4.0-rc15","v2.4.0-rc14","v2.4.0-rc13","v2.4.0-rc12","v2.4.0-rc11","v2.4.0-rc10","v2.4.0-rc8","v2.4.0-rc7","v2.4.0-rc6","v2.4.0-rc5","v2.4.0-rc4","v2.4.0-rc3","v2.4.0-rc2","v2.4.0-rc1","v2.4.0-alpha1","v2.3.0-rc10","v2.3.0-rc9","v2.3.0-rc8","v2.3.0-rc7","v2.3.0-rc6","v2.3.0-rc5","v2.3.0-rc4","v2.3.0-rc3","v2.3.0-rc2","v2.3.0-rc1","v2.3.0-alpha7","v2.3.0-alpha6","v2.3.0-alpha5","v2.3.0-alpha4","v2.2.0-rc15","v2.2.0","v2.2.0-rc14","v2.2.0-rc13","v2.2.0-rc12","v2.2.0-rc11","v2.2.0-rc10","v2.2.0-rc9","v2.2.0-rc8","v2.2.0-rc7","v2.2.0-rc6","v2.2.0-rc5","v2.2.0-rc4","v2.2.0-rc3","v2.2.0-rc2","v2.2.0-rc1","v2.1.0","v2.1.0-rc10","v2.1.0-rc9","v2.1.0-rc8","v2.1.0-rc7","v2.1.0-rc6","v2.1.0-rc5","v2.1.0-rc4","v2.1.0-rc3","v2.1.0-rc2","v2.1.0-rc1","v2.0.8-rc2","v2.0.7-rc6","v2.0.7","v2.0.7-rc5","v2.0.7-rc4","v2.0.7-rc3","v2.0.7-rc2","v2.0.7-rc1","v2.0.6-rc2","v2.0.6","v2.0.6-rc1","v2.0.5","v2.0.5-rc6","v2.0.5-rc5","v2.0.5-rc4","v2.0.5-rc3","v2.0.5-rc2","v2.0.5-rc1","v2.0.4-rc1","v2.0.4","v2.0.3-rc5","v2.0.3","v2.0.3-rc4","v2.0.3-rc3","v2.0.3-rc2","v2.0.3-rc1","v2.0.2-rc1","v2.0.2","v2.0.1","v2.0.1-rc6","v2.0.1-rc5","v2.0.1-rc4","v2.0.1-rc3","v2.0.1-rc2","v2.0.1-rc1","v2.0.0-rc5","v2.0.0","v2.0.0-rc4","v2.0.0-rc3","v2.0.0-rc2","v2.0.0-rc1","v2.0.0-beta4-rc4","v2.0.0-beta4","v2.0.0-beta4-rc3","v2.0.0-beta4-rc2","v2.0.0-beta4-rc1","v2.0.0-beta3-rc1","v2.0.0-beta3","v2.0.0-beta2","v2.0.0-beta1","v2.0.0-alpha28","v2.0.0-alpha27","v2.0.0-alpha26","v2.0.0-alpha25","v2.0.0-alpha24","v2.0.0-alpha22","v2.0.0-alpha23","v2.0.0-alpha21","v2.0.0-alpha20","v2.0.0-alpha19","v2.0.0-alpha18","v2.0.0-alpha17","v2.0.0-alpha14","v2.0.0-alpha12","v2.0.0-alpha11"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-31999.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}