Headline
CVE-2017-7297: Security Exposure: Authenticated users can disable auth [CVE-2017-7297] · Issue #8296 · rancher/rancher
Rancher Labs rancher server 1.2.0+ is vulnerable to authenticated users disabling access control via an API call. This is fixed in versions rancher/server:v1.2.4, rancher/server:v1.3.5, rancher/server:v1.4.3, and rancher/server:v1.5.3.
Rancher Versions:
Server: 1.2.0+
Docker Version:
Any
OS and where are the hosts located? (cloud, bare metal, etc):
Setup Details: (single node rancher vs. HA rancher, internal DB vs. external DB)
Environment Type: (Cattle/Kubernetes/Swarm/Mesos)
Steps to Reproduce:
Log into Rancher as an authenticated user (any role) and disable auth via the API.
Results:
Authentication is disabled.