{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-43760", "assignerOrgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb", "state": "PUBLISHED", "assignerShortName": "suse", "dateReserved": "2022-10-26T06:52:18.766Z", "datePublished": "2023-06-01T12:56:40.074Z", "dateUpdated": "2025-01-09T16:58:33.155Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Rancher", "vendor": "SUSE", "versions": [{"lessThan": "< 2.6.13", "status": "affected", "version": ">= 2.6.0", "versionType": "2.6.13"}, {"lessThan": "< 2.7.4", "status": "affected", "version": ">= 2.7.0", "versionType": "2.7.4"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "https://github.com/bybit-sec"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<div>An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SUSE Rancher allows users in some higher-privileged groups to to inject code that is \nexecuted within another user's browser, allowing the attacker to steal \nsensitive information, manipulate web content, or perform other \nmalicious activities on behalf of the victims. This could result in a \nuser with write access to the affected areas being able to act on behalf\n of an administrator, once an administrator opens the affected web page.<br></div><p>This issue affects Rancher: from &gt;= 2.6.0 before &lt; 2.6.13, from &gt;= 2.7.0 before &lt; 2.7.4.</p>"}], "value": "An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SUSE Rancher allows users in some higher-privileged groups to to inject code that is \nexecuted within another user's browser, allowing the attacker to steal \nsensitive information, manipulate web content, or perform other \nmalicious activities on behalf of the victims. This could result in a \nuser with write access to the affected areas being able to act on behalf\n of an administrator, once an administrator opens the affected web page.\n\n\nThis issue affects Rancher: from >= 2.6.0 before < 2.6.13, from >= 2.7.0 before < 2.7.4.\n\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb", "shortName": "suse", "dateUpdated": "2023-06-01T12:56:40.074Z"}, "references": [{"url": "https://github.com/rancher/rancher/security/advisories/GHSA-46v3-ggjg-qq3x"}, {"url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2022-43760"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T13:40:06.301Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/rancher/rancher/security/advisories/GHSA-46v3-ggjg-qq3x", "tags": ["x_transferred"]}, {"url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2022-43760", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-01-09T16:58:17.163134Z", "id": "CVE-2022-43760", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-09T16:58:33.155Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/rancher/rancher/security/advisories/GHSA-46v3-ggjg-qq3x", "tags": ["x_transferred"]}, {"url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2022-43760", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T13:40:06.301Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-43760", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-01-09T16:58:17.163134Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-09T16:58:25.335Z"}}], "cna": {"source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "https://github.com/bybit-sec"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.4, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "SUSE", "product": "Rancher", "versions": [{"status": "affected", "version": ">= 2.6.0", "lessThan": "< 2.6.13", "versionType": "2.6.13"}, {"status": "affected", "version": ">= 2.7.0", "lessThan": "< 2.7.4", "versionType": "2.7.4"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/rancher/rancher/security/advisories/GHSA-46v3-ggjg-qq3x"}, {"url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2022-43760"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SUSE Rancher allows users in some higher-privileged groups to to inject code that is \nexecuted within another user's browser, allowing the attacker to steal \nsensitive information, manipulate web content, or perform other \nmalicious activities on behalf of the victims. This could result in a \nuser with write access to the affected areas being able to act on behalf\n of an administrator, once an administrator opens the affected web page.\n\n\nThis issue affects Rancher: from >= 2.6.0 before < 2.6.13, from >= 2.7.0 before < 2.7.4.\n\n", "supportingMedia": [{"type": "text/html", "value": "<div>An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SUSE Rancher allows users in some higher-privileged groups to to inject code that is \nexecuted within another user's browser, allowing the attacker to steal \nsensitive information, manipulate web content, or perform other \nmalicious activities on behalf of the victims. This could result in a \nuser with write access to the affected areas being able to act on behalf\n of an administrator, once an administrator opens the affected web page.<br></div><p>This issue affects Rancher: from &gt;= 2.6.0 before &lt; 2.6.13, from &gt;= 2.7.0 before &lt; 2.7.4.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb", "shortName": "suse", "dateUpdated": "2023-06-01T12:56:40.074Z"}}}, "cveMetadata": {"cveId": "CVE-2022-43760", "state": "PUBLISHED", "dateUpdated": "2025-01-09T16:58:33.155Z", "dateReserved": "2022-10-26T06:52:18.766Z", "assignerOrgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb", "datePublished": "2023-06-01T12:56:40.074Z", "assignerShortName": "suse"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:suse:rancher:*:*:*:*:*:*:*:*", "matchCriteriaId": "1E9E01CC-9BB4-4A69-8F2D-ECCA9CF59580", "versionEndExcluding": "2.6.13", "versionStartIncluding": "2.6.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:suse:rancher:*:*:*:*:*:*:*:*", "matchCriteriaId": "82B60ABA-3389-45F0-9F45-4D4D0D4738BC", "versionEndExcluding": "2.7.4", "versionStartIncluding": "2.7.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SUSE Rancher allows users in some higher-privileged groups to to inject code that is \nexecuted within another user's browser, allowing the attacker to steal \nsensitive information, manipulate web content, or perform other \nmalicious activities on behalf of the victims. This could result in a \nuser with write access to the affected areas being able to act on behalf\n of an administrator, once an administrator opens the affected web page.\n\n\nThis issue affects Rancher: from >= 2.6.0 before < 2.6.13, from >= 2.7.0 before < 2.7.4.\n\n"}], "id": "CVE-2022-43760", "lastModified": "2024-11-21T07:27:10.573", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 6.0, "source": "[email protected]", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 6.0, "source": "[email protected]", "type": "Primary"}]}, "published": "2023-06-01T13:15:10.373", "references": [{"source": "[email protected]", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2022-43760"}, {"source": "[email protected]", "tags": ["Vendor Advisory"], "url": "https://github.com/rancher/rancher/security/advisories/GHSA-46v3-ggjg-qq3x"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2022-43760"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://github.com/rancher/rancher/security/advisories/GHSA-46v3-ggjg-qq3x"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "[email protected]", "type": "Secondary"}]}

{}