x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-xr9q-h9c7-xw8q

[GoVulnBot]

Advisory GHSA-xr9q-h9c7-xw8q references a vulnerability in the following Go modules:

Module
github.com/rancher/rancher

Description:

Impact

An unauthenticated stack overflow crash, leading to a denial of service (DoS), was identified in Rancher’s /v3-public/authproviders public API endpoint. A malicious user could submit data to the API which would cause the Rancher server to crash, but no malicious or incorrect data would actually be written in the API. The downstream clusters, i.e., the clusters managed by Rancher, are not affected by this issue.

This vulnerability affects those using external authentication providers as well as Rancher’s local authentication.

Patches

The patch includes the removal of unne...

References:

• ADVISORY: GHSA-xr9q-h9c7-xw8q
• ADVISORY: GHSA-xr9q-h9c7-xw8q

Cross references:

• github.com/rancher/rancher appears in 43 other report(s):
  • data/excluded/GO-2022-0439.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-wm2r-rp98-8pmh #439) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-0464.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: CVE-2022-21951 #464) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-0551.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-4fc7-hc63-7fjg #551) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-0605.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-hx8w-ghh8-r4xf #605) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-0610.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-jwvr-vv7p-gpwq, CVE-2021-36784 #610) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-0973.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: CVE-2021-36782 #973) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-0974.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: CVE-2021-36783 #974) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-0975.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: CVE-2022-31247 #975) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1511.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-34p5-jp77-fcrc #1511) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1513.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-7m72-mh5r-6j3r #1513) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1514.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-8c69-r38j-rpfj #1514) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1516.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-c45c-39f6-6gw9 #1516) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1517.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-cq4p-vp5q-4522 #1517) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1518.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-g25r-gvq3-wrq7 #1518) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1736.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-6m9f-pj6w-w87g #1736) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1814.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: CVE-2022-43760 #1814) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1815.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: CVE-2023-22647 #1815) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1816.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: CVE-2023-22648 #1816) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1825.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-8vhc-hwhc-cpj4 #1825) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1905.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-6m8r-jh89-rq7h #1905) EFFECTIVELY_PRIVATE
  • data/reports/GO-2022-0644.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-9qq2-xhmc-h9qr #644)
  • data/reports/GO-2022-0755.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher/server: GHSA-xhg2-rvm8-w2jh #755)
  • data/reports/GO-2023-1973.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-w3x4-9854-95x8 #1973)
  • data/reports/GO-2023-1991.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-gc62-j469-9gjm #1991)
  • data/reports/GO-2024-2535.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-c85r-fwc7-45vc #2535)
  • data/reports/GO-2024-2537.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-xfj7-qf8w-2gcr #2537)
  • data/reports/GO-2024-2760.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-28g7-896h-695v #2760)
  • data/reports/GO-2024-2761.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-2p4g-jrmx-r34m #2761)
  • data/reports/GO-2024-2762.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-53pj-67m4-9w98 #2762)
  • data/reports/GO-2024-2764.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-6r7x-4q7g-h83j #2764)
  • data/reports/GO-2024-2768.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-f9xf-jq4j-vqw4 #2768)
  • data/reports/GO-2024-2771.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-gvh9-xgrq-r8hw #2771)
  • data/reports/GO-2024-2778.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-pvxj-25m6-7vqr #2778)
  • data/reports/GO-2024-2784.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-xh8x-j8h3-m5ph #2784)
  • data/reports/GO-2024-2929.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-64jq-m7rq-768h #2929)
  • data/reports/GO-2024-2931.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-9ghh-mmcq-8phc #2931)
  • data/reports/GO-2024-2932.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-q6c7-56cq-g2wm #2932)
  • data/reports/GO-2024-3161.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-h4h5-9833-v2p4 #3161)
  • data/reports/GO-2024-3220.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-7h8m-pvw3-5gh4 #3220)
  • data/reports/GO-2024-3221.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-h99m-6755-rgwc #3221)
  • data/reports/GO-2024-3223.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-xj7w-r753-vj8v #3223)
  • data/reports/GO-2024-3280.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-9c5p-35gj-jqp4 #3280)
  • data/reports/GO-2025-3391.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-2v2w-8v8c-wcm9 #3391)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/rancher/rancher
      non_go_versions:
        - introduced: 2.8.0
        - fixed: 2.8.13
        - introduced: 2.9.0
        - fixed: 2.9.7
        - introduced: 2.10.0
        - fixed: 2.10.3
      vulnerable_at: 1.6.30
summary: Rancher allows an unauthenticated stack overflow in /v3-public/authproviders API in github.com/rancher/rancher
cves:
    - CVE-2025-23388
ghsas:
    - GHSA-xr9q-h9c7-xw8q
references:
    - advisory: https://github.com/advisories/GHSA-xr9q-h9c7-xw8q
    - advisory: https://github.com/rancher/rancher/security/advisories/GHSA-xr9q-h9c7-xw8q
source:
    id: GHSA-xr9q-h9c7-xw8q
    created: 2025-02-27T19:01:24.755548837Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/654257 mentions this issue: data/reports: add 23 reports