x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-mw39-9qc2-f7mg

[GoVulnBot]

Advisory GHSA-mw39-9qc2-f7mg references a vulnerability in the following Go modules:

Module
github.com/rancher/rancher

Description:

Impact

Note: The exploitation of this issue requires that the malicious user have access to Rancher’s audit log storage.

A vulnerability has been identified in Rancher Manager, where sensitive information, including secret data, cluster import URLs, and registration tokens, is exposed to any entity with access to Rancher audit logs. This happens in two different ways:

1. Secret Annotation Leakage: When creating Kubernetes Secrets using the stringData field, the cleartext value is embedded in the kubectl.kubernetes.io/last-applied-configuration annotation. This annotation is inc...

References:

• ADVISORY: GHSA-mw39-9qc2-f7mg
• ADVISORY: GHSA-mw39-9qc2-f7mg
• FIX: rancher/rancher@26ad921
• FIX: rancher/rancher@50dc516

Cross references:

• github.com/rancher/rancher appears in 52 other report(s):
  • data/excluded/GO-2022-0439.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-wm2r-rp98-8pmh #439) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-0464.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: CVE-2022-21951 #464) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-0551.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-4fc7-hc63-7fjg #551) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-0605.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-hx8w-ghh8-r4xf #605) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-0610.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-jwvr-vv7p-gpwq, CVE-2021-36784 #610) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-0973.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: CVE-2021-36782 #973) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-0974.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: CVE-2021-36783 #974) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-0975.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: CVE-2022-31247 #975) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1511.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-34p5-jp77-fcrc #1511) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1513.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-7m72-mh5r-6j3r #1513) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1514.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-8c69-r38j-rpfj #1514) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1516.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-c45c-39f6-6gw9 #1516) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1517.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-cq4p-vp5q-4522 #1517) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1518.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-g25r-gvq3-wrq7 #1518) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1736.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-6m9f-pj6w-w87g #1736) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1814.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: CVE-2022-43760 #1814) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1815.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: CVE-2023-22647 #1815) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1816.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: CVE-2023-22648 #1816) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1825.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-8vhc-hwhc-cpj4 #1825) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1905.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-6m8r-jh89-rq7h #1905) EFFECTIVELY_PRIVATE
  • data/reports/GO-2022-0644.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-9qq2-xhmc-h9qr #644)
  • data/reports/GO-2022-0755.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher/server: GHSA-xhg2-rvm8-w2jh #755)
  • data/reports/GO-2023-1973.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-w3x4-9854-95x8 #1973)
  • data/reports/GO-2023-1991.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-gc62-j469-9gjm #1991)
  • data/reports/GO-2024-2535.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-c85r-fwc7-45vc #2535)
  • data/reports/GO-2024-2537.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-xfj7-qf8w-2gcr #2537)
  • data/reports/GO-2024-2760.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-28g7-896h-695v #2760)
  • data/reports/GO-2024-2761.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-2p4g-jrmx-r34m #2761)
  • data/reports/GO-2024-2762.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-53pj-67m4-9w98 #2762)
  • data/reports/GO-2024-2764.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-6r7x-4q7g-h83j #2764)
  • data/reports/GO-2024-2768.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-f9xf-jq4j-vqw4 #2768)
  • data/reports/GO-2024-2771.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-gvh9-xgrq-r8hw #2771)
  • data/reports/GO-2024-2778.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-pvxj-25m6-7vqr #2778)
  • data/reports/GO-2024-2784.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-xh8x-j8h3-m5ph #2784)
  • data/reports/GO-2024-2929.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-64jq-m7rq-768h #2929)
  • data/reports/GO-2024-2931.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-9ghh-mmcq-8phc #2931)
  • data/reports/GO-2024-2932.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-q6c7-56cq-g2wm #2932)
  • data/reports/GO-2024-3161.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-h4h5-9833-v2p4 #3161)
  • data/reports/GO-2024-3220.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-7h8m-pvw3-5gh4 #3220)
  • data/reports/GO-2024-3221.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-h99m-6755-rgwc #3221)
  • data/reports/GO-2024-3223.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-xj7w-r753-vj8v #3223)
  • data/reports/GO-2024-3280.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-9c5p-35gj-jqp4 #3280)
  • data/reports/GO-2025-3391.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-2v2w-8v8c-wcm9 #3391)
  • data/reports/GO-2025-3489.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-5qmp-9x47-92q8 #3489)
  • data/reports/GO-2025-3490.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-mq23-vvg7-xfm4 #3490)
  • data/reports/GO-2025-3491.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-xr9q-h9c7-xw8q #3491)
  • data/reports/GO-2025-3586.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-8p83-cpfg-fj3g #3586)
  • data/reports/GO-2025-3647.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-8h6m-wv39-239m #3647)
  • data/reports/GO-2025-3923.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-4h45-jpvh-6p5j #3923)
  • data/reports/GO-2025-3982.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-mjcp-rj3c-36fr #3982)
  • data/reports/GO-2025-3983.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-q82v-h4rq-5c86 #3983)
  • data/reports/GO-2025-3984.yaml (x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-v3vj-5868-2ch2 #3984)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/rancher/rancher
      versions:
        - fixed: 0.0.0-20251013203444-50dc516a19ea
summary: Rancher exposes sensitive information through audit logs in github.com/rancher/rancher
cves:
    - CVE-2024-58269
ghsas:
    - GHSA-mw39-9qc2-f7mg
references:
    - advisory: https://github.com/advisories/GHSA-mw39-9qc2-f7mg
    - advisory: https://github.com/rancher/rancher/security/advisories/GHSA-mw39-9qc2-f7mg
    - fix: https://github.com/rancher/rancher/commit/26ad9216e94f77b5471f638256a6989030572adc
    - fix: https://github.com/rancher/rancher/commit/50dc516a19ea216e270f738912dc8d0c9ca99d5d
notes:
    - fix: 'github.com/rancher/rancher: could not add vulnerable_at: cannot auto-guess when fixed version is 0.0.0 pseudo-version'
source:
    id: GHSA-mw39-9qc2-f7mg
    created: 2025-10-24T16:01:35.943369848Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/715780 mentions this issue: data/reports: add 47 UNREVIEWED reports