Home

Description

A vulnerability has been identified within Rancher Manager whereby `Impersonate-Extra-*` headers are being sent to an external entity, for example `amazonaws.com`, via the `/meta/proxy` Rancher endpoint. These headers may contain identifiable and/or sensitive information e.g. email addresses.

PUBLISHED Reserved 2025-07-23 | Published 2025-10-02 | Updated 2025-10-02 | Assigner suse




MEDIUM: 4.7CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N

Problem types

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

Product status

Default status
unaffected

2.12.0 before 2.12.2
affected

2.11.0 before 2.11.6
affected

2.10.0 before 2.10.10
affected

2.9.0 before 2.9.12
affected

References

bugzilla.suse.com/show_bug.cgi?id=CVE-2025-54468

github.com/...ancher/security/advisories/GHSA-mjcp-rj3c-36fr

cve.org (CVE-2025-54468)

nvd.nist.gov (CVE-2025-54468)

Download JSON