CVE-2019-12303
Description
In Rancher 2 up to 2.2.3, project owners can inject fluentd configuration to read files or execute commands inside the fluentd container, leading to privilege escalation.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In Rancher 2 up to 2.2.3, project owners can inject fluentd configuration to read files or execute commands inside the fluentd container, leading to privilege escalation.
Vulnerability
Overview
CVE-2019-12303 is an injection vulnerability in Rancher's fluentd configuration. Project owners, who have limited privileges within their project, can inject additional fluentd settings that are processed by the fluentd container [1][2]. This injection occurs because the system does not properly sanitize or restrict the configuration inputs that project owners can provide.
Exploitation and
Attack Surface
To exploit this vulnerability, an attacker must have a project owner role in a Rancher environment. No additional authentication is required beyond the existing project owner credentials. The attacker can inject arbitrary fluentd configuration directives, which are then executed by the fluentd container without further validation [2]. The attack is performed through the Rancher UI or API, where project owners can modify fluentd settings.
Impact
Successful exploitation allows an attacker to read arbitrary files on the fluentd container's filesystem, which may contain sensitive information such as secrets or configuration data. Additionally, the attacker can execute arbitrary commands within the fluentd container, potentially leading to further compromise of the underlying host or other containers [1][2].
Mitigation
The vulnerability is fixed in Rancher version 2.2.4 [1]. Users are advised to upgrade to this version or later. There are no known workarounds, so upgrading is necessary to remediate the issue.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/rancher/rancherGo | >= 2.0.0, < 2.2.4 | 2.2.4 |
Affected products
2- Rancher/Rancherdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
4- github.com/advisories/GHSA-53pj-67m4-9w98ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-12303ghsaADVISORY
- forums.rancher.com/c/announcementsmitrex_refsource_CONFIRM
- forums.rancher.com/t/rancher-release-v2-2-4-addresses-rancher-cve-2019-12274-and-cve-2019-12303/14466ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.