CVE-2022-43758

A Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in SUSE Rancher allows code execution for user with the ability to add an untrusted Helm catalog or modifying the URL configuration used to download KDM (only admin users by default) This issue affects: SUSE Rancher Rancher versions prior to 2.5.17; Rancher versions prior to 2.6.10; Rancher versions prior to 2.7.1.

Published: Feb 7, 2023
Updated: May 9, 2024
CVE: CVE-2022-43758
GHSA: GHSA-34p5-jp77-fcrc
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 6.8
AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H

CWEs:

CWE-78
CWE-77
CWE-88

OWASP TOP 10:

A1 - Injection

Affected Software
References

Software	From	Fixed in
suse / rancher	2.7.0	2.7.1
suse / rancher	2.6.0	2.6.10
suse / rancher	2.5.0	2.5.17
github.com/rancher/rancher	2.5.0	2.5.17
github.com/rancher/rancher	2.6.0	2.6.10
github.com/rancher/rancher	2.7.0	2.7.1

https://bugzilla.suse.com/show_bug.cgi?id=1205294
https://github.com/rancher/rancher/security/advisories/GHSA-34p5-jp77-fcrc

Vulnerability Database

CVE-2022-43758