{"id":"CVE-2025-23387","details":"A Exposure of Sensitive Information to an Unauthorized Actor vulnerability in SUSE rancher allowed unauthenticated users to list all CLI authentication tokens and delete them before the CLI is able to get the token value.This issue affects rancher: from 2.8.0 before 2.8.13, from 2.9.0 before 2.9.7, from 2.10.0 before 2.10.3.","aliases":["GHSA-5qmp-9x47-92q8","GO-2025-3489"],"modified":"2026-04-09T10:37:12.204191Z","published":"2025-04-11T11:15:42.367Z","related":["openSUSE-SU-2025:14889-1"],"references":[{"type":"ADVISORY","url":"https://github.com/rancher/rancher/security/advisories/GHSA-5qmp-9x47-92q8"},{"type":"REPORT","url":"https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-23387"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/rancher/rancher","events":[{"introduced":"72f58378bf03122a9651c9bd3b4c143a57e8fdaa"},{"fixed":"a717664d9c190b98a1d085744b3838bdc78e9f2a"},{"introduced":"9e0cc54e7e3a924cf0ed5c5d4db0a6e53805c75e"},{"fixed":"cecf1d1e99c7c046e73141d97595e18e0c0a78b2"},{"introduced":"df45e368c82d4027410fa4700371982b9236b7c8"},{"fixed":"ecc87e7d86e96949523872ab091c6f7a009b2f67"}],"database_specific":{"versions":[{"introduced":"2.8.0"},{"fixed":"2.8.13"},{"introduced":"2.9.0"},{"fixed":"2.9.7"},{"introduced":"2.10.0"},{"fixed":"2.10.3"}]}}],"versions":["v2.10.0","v2.10.1","v2.10.1-alpha1","v2.10.1-rc1","v2.10.2","v2.10.2-alpha1","v2.10.2-alpha2","v2.10.2-alpha3","v2.10.2-alpha4","v2.10.2-rc1","v2.10.3-alpha1","v2.10.3-alpha2","v2.10.3-rc1","v2.8.0","v2.8.0-rc5","v2.8.10","v2.8.10-alpha1","v2.8.10-alpha2","v2.8.10-rc1","v2.8.10-rc2","v2.8.11","v2.8.11-alpha1","v2.8.11-rc1","v2.8.12","v2.8.12-alpha1","v2.8.12-alpha2","v2.8.12-rc1","v2.8.13-alpha1","v2.8.13-rc1","v2.8.3","v2.8.3-alpha1","v2.8.3-alpha2","v2.8.3-rc1","v2.8.3-rc2","v2.8.3-rc3","v2.8.3-rc4","v2.8.3-rc5","v2.8.3-rc6","v2.8.3-rc7","v2.8.3-rc8","v2.8.4","v2.8.4-alpha1","v2.8.4-rc1","v2.8.4-rc2","v2.8.4-rc3","v2.8.4-rc4","v2.8.4-rc5","v2.8.6","v2.8.6-alpha1","v2.8.6-alpha2","v2.8.6-alpha3","v2.8.6-alpha4","v2.8.6-alpha5","v2.8.6-alpha6","v2.8.6-rc1","v2.8.6-rc2","v2.8.6-rc3","v2.8.6-rc4","v2.8.7","v2.8.7-rc1","v2.8.7-rc10","v2.8.7-rc2","v2.8.7-rc3","v2.8.7-rc4","v2.8.7-rc5","v2.8.7-rc6","v2.8.7-rc7","v2.8.7-rc8","v2.8.7-rc9","v2.8.8","v2.8.8-alpha1","v2.8.8-alpha2","v2.8.8-rc1","v2.8.9","v2.8.9-alpha1","v2.8.9-alpha10","v2.8.9-alpha2","v2.8.9-alpha3","v2.8.9-alpha4","v2.8.9-alpha5","v2.8.9-alpha6","v2.8.9-alpha8","v2.8.9-alpha9","v2.8.9-rc1","v2.8.9-rc2","v2.9.0","v2.9.0-rc6","v2.9.1","v2.9.1-alpha1","v2.9.1-alpha2","v2.9.1-rc1","v2.9.1-rc2","v2.9.1-rc3","v2.9.1-rc4","v2.9.1-rc5","v2.9.1-rc6","v2.9.2","v2.9.2-alpha1","v2.9.2-alpha2","v2.9.2-alpha3","v2.9.2-alpha4","v2.9.2-alpha5","v2.9.2-alpha6","v2.9.2-alpha7","v2.9.2-rc1","v2.9.3","v2.9.3-alpha1","v2.9.3-alpha2","v2.9.3-alpha3","v2.9.3-alpha4","v2.9.3-alpha5","v2.9.3-alpha6","v2.9.3-alpha7","v2.9.3-rc1","v2.9.3-rc2","v2.9.4","v2.9.4-alpha1","v2.9.4-alpha2","v2.9.4-alpha3","v2.9.4-alpha4","v2.9.4-alpha5","v2.9.4-hotfix-schema-leak.1","v2.9.4-rc1","v2.9.4-rc2","v2.9.4-rc3","v2.9.5","v2.9.5-alpha1","v2.9.5-rc1","v2.9.6","v2.9.6-alpha1","v2.9.6-alpha2","v2.9.6-alpha3","v2.9.6-rc1","v2.9.7-alpha1","v2.9.7-alpha2","v2.9.7-alpha3","v2.9.7-rc1"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-23387.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}]}