x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-q82v-h4rq-5c86

[GoVulnBot]

Advisory GHSA-q82v-h4rq-5c86 references a vulnerability in the following Go modules:

Module
github.com/rancher/rancher

Description:

Impact

A vulnerability has been identified within Rancher Manager where a missing server-side validation on the .username field in Rancher can allow users with update permissions on other User resources to cause denial of access for targeted accounts. Specifically:

• Username takeover: A user with permission to update another user’s resource can set its .username to "admin", preventing both the legitimate admin and the affected user from logging in, as Rancher enforces uniqueness at login time.
• Account lockout: A user with update permissions on the admin account can change the ad...

References:

• ADVISORY: GHSA-q82v-h4rq-5c86
• ADVISORY: GHSA-q82v-h4rq-5c86

Cross references:

• github.com/rancher/rancher appears in 49 other report(s):
  • data/excluded/GO-2022-0439.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-wm2r-rp98-8pmh #439) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-0464.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: CVE-2022-21951 #464) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-0551.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-4fc7-hc63-7fjg #551) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-0605.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-hx8w-ghh8-r4xf #605) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-0610.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-jwvr-vv7p-gpwq, CVE-2021-36784 #610) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-0973.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: CVE-2021-36782 #973) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-0974.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: CVE-2021-36783 #974) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-0975.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: CVE-2022-31247 #975) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1511.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-34p5-jp77-fcrc #1511) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1513.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-7m72-mh5r-6j3r #1513) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1514.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-8c69-r38j-rpfj #1514) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1516.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-c45c-39f6-6gw9 #1516) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1517.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-cq4p-vp5q-4522 #1517) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1518.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-g25r-gvq3-wrq7 #1518) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1736.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-6m9f-pj6w-w87g #1736) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1814.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: CVE-2022-43760 #1814) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1815.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: CVE-2023-22647 #1815) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1816.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: CVE-2023-22648 #1816) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1825.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-8vhc-hwhc-cpj4 #1825) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1905.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-6m8r-jh89-rq7h #1905) EFFECTIVELY_PRIVATE
  • data/reports/GO-2022-0644.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-9qq2-xhmc-h9qr #644)
  • data/reports/GO-2022-0755.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher/server: GHSA-xhg2-rvm8-w2jh #755)
  • data/reports/GO-2023-1973.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-w3x4-9854-95x8 #1973)
  • data/reports/GO-2023-1991.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-gc62-j469-9gjm #1991)
  • data/reports/GO-2024-2535.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-c85r-fwc7-45vc #2535)
  • data/reports/GO-2024-2537.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-xfj7-qf8w-2gcr #2537)
  • data/reports/GO-2024-2760.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-28g7-896h-695v #2760)
  • data/reports/GO-2024-2761.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-2p4g-jrmx-r34m #2761)
  • data/reports/GO-2024-2762.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-53pj-67m4-9w98 #2762)
  • data/reports/GO-2024-2764.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-6r7x-4q7g-h83j #2764)
  • data/reports/GO-2024-2768.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-f9xf-jq4j-vqw4 #2768)
  • data/reports/GO-2024-2771.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-gvh9-xgrq-r8hw #2771)
  • data/reports/GO-2024-2778.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-pvxj-25m6-7vqr #2778)
  • data/reports/GO-2024-2784.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-xh8x-j8h3-m5ph #2784)
  • data/reports/GO-2024-2929.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-64jq-m7rq-768h #2929)
  • data/reports/GO-2024-2931.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-9ghh-mmcq-8phc #2931)
  • data/reports/GO-2024-2932.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-q6c7-56cq-g2wm #2932)
  • data/reports/GO-2024-3161.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-h4h5-9833-v2p4 #3161)
  • data/reports/GO-2024-3220.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-7h8m-pvw3-5gh4 #3220)
  • data/reports/GO-2024-3221.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-h99m-6755-rgwc #3221)
  • data/reports/GO-2024-3223.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-xj7w-r753-vj8v #3223)
  • data/reports/GO-2024-3280.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-9c5p-35gj-jqp4 #3280)
  • data/reports/GO-2025-3391.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-2v2w-8v8c-wcm9 #3391)
  • data/reports/GO-2025-3489.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-5qmp-9x47-92q8 #3489)
  • data/reports/GO-2025-3490.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-mq23-vvg7-xfm4 #3490)
  • data/reports/GO-2025-3491.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-xr9q-h9c7-xw8q #3491)
  • data/reports/GO-2025-3586.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-8p83-cpfg-fj3g #3586)
  • data/reports/GO-2025-3647.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-8h6m-wv39-239m #3647)
  • data/reports/GO-2025-3923.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-4h45-jpvh-6p5j #3923)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/rancher/rancher
      non_go_versions:
        - introduced: 2.9.0
        - fixed: 2.9.12
        - introduced: 2.10.0
        - fixed: 2.10.10
        - introduced: 2.11.0
        - fixed: 2.11.6
        - introduced: 2.12.0
        - fixed: 2.12.2
      vulnerable_at: 1.6.30
summary: Rancher update on users can deny the service to the admin in github.com/rancher/rancher
cves:
    - CVE-2024-58260
ghsas:
    - GHSA-q82v-h4rq-5c86
references:
    - advisory: https://github.com/advisories/GHSA-q82v-h4rq-5c86
    - advisory: https://github.com/rancher/rancher/security/advisories/GHSA-q82v-h4rq-5c86
source:
    id: GHSA-q82v-h4rq-5c86
    created: 2025-09-26T14:01:41.773194739Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/711220 mentions this issue: data/reports: add 19 reports