Medium severity5.3OSV Advisory· Published Apr 11, 2025· Updated Apr 15, 2026
CVE-2025-23387
CVE-2025-23387
Description
A Exposure of Sensitive Information to an Unauthorized Actor vulnerability in SUSE rancher allowed unauthenticated users to list all CLI authentication tokens and delete them before the CLI is able to get the token value.This issue affects rancher: from 2.8.0 before 2.8.13, from 2.9.0 before 2.9.7, from 2.10.0 before 2.10.3.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unauthenticated users can list and delete CLI authentication tokens via the public /v3-public/authTokens endpoint in Rancher before patched versions.
Vulnerability
Overview CVE-2025-23387 is an information exposure vulnerability in SUSE Rancher that allows an unauthenticated attacker to list all CLI authentication tokens and delete them before the CLI can retrieve the token value. The root cause is that the public /v3-public/authTokens endpoint improperly supported GET and DELETE methods without requiring authentication, exposing sensitive token metadata and enabling unauthorized deletion [1][2][3].
Exploitation
Conditions The vulnerability is accessible over the network without any authentication, meaning any attacker who can reach the Rancher API can send GET requests to /v3-public/authTokens to enumerate tokens and DELETE requests to remove them. No special privileges or prior knowledge are needed; the attack surface is the publicly exposed Rancher management API [1][2][3].
Impact
Successful exploitation could allow an attacker to disrupt CLI-based interactions by deleting valid authentication tokens before they are used, potentially causing denial of service or interfering with automated workflows. Additionally, listing tokens could leak information useful for further attacks [1][2][3].
Mitigation
Rancher has addressed the issue by removing support for GET and DELETE methods on the public /v3-public/authTokens endpoint. Fixes are included in Rancher versions 2.8.13, 2.9.7, and 2.10.3. Users should upgrade to these or later patch releases [1][2][3].
References
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/rancher/rancherGo | >= 2.8.0, < 2.8.13 | 2.8.13 |
github.com/rancher/rancherGo | >= 2.9.0, < 2.9.7 | 2.9.7 |
github.com/rancher/rancherGo | >= 2.10.0, < 2.10.3 | 2.10.3 |
Affected products
2Patches
7ecc87e7d86e9a717664d9c19cecf1d1e99c72481630c4a5a[v2.8] Fix public authTokens endpoint (#49000)
4 files changed · +8 −112
pkg/auth/providers/publicapi/store.go+7 −15 modified@@ -1,6 +1,8 @@ package publicapi import ( + "fmt" + "github.com/rancher/norman/httperror" "github.com/rancher/norman/objectclient" "github.com/rancher/norman/store/empty" @@ -10,7 +12,7 @@ import ( v3 "github.com/rancher/rancher/pkg/generated/norman/management.cattle.io/v3" "github.com/rancher/rancher/pkg/namespace" "github.com/rancher/rancher/pkg/types/config" - "k8s.io/apimachinery/pkg/api/errors" + apierrors "k8s.io/apimachinery/pkg/api/errors" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" "k8s.io/apimachinery/pkg/runtime" @@ -79,27 +81,17 @@ type authTokensStore struct { func (t *authTokensStore) ByID(apiContext *types.APIContext, schema *types.Schema, id string) (map[string]interface{}, error) { token, err := t.tokens.GetNamespaced(namespace.GlobalNamespace, id, v1.GetOptions{}) if err != nil { + if apierrors.IsNotFound(err) { + return nil, httperror.NewAPIError(httperror.NotFound, fmt.Sprintf("token %s not found", id)) + } return nil, err } generated := transformToAuthToken(token) return generated, err } -func (t *authTokensStore) List(apiContext *types.APIContext, schema *types.Schema, opt *types.QueryOptions) ([]map[string]interface{}, error) { - tokens, err := t.tokens.ListNamespaced(namespace.GlobalNamespace, v1.ListOptions{}) - if err != nil { - return nil, err - } - var result []map[string]interface{} - for _, token := range tokens.Items { - generated := transformToAuthToken(&token) - result = append(result, generated) - } - return result, nil -} - func (t *authTokensStore) Delete(apiContext *types.APIContext, schema *types.Schema, id string) (map[string]interface{}, error) { - if err := t.tokens.DeleteNamespaced(namespace.GlobalNamespace, id, &v1.DeleteOptions{}); err != nil && !errors.IsNotFound(err) { + if err := t.tokens.DeleteNamespaced(namespace.GlobalNamespace, id, &v1.DeleteOptions{}); err != nil && !apierrors.IsNotFound(err) { return nil, err } return nil, nil
pkg/client/generated/management/v3public/zz_generated_auth_token.go+0 −94 modified@@ -1,9 +1,5 @@ package client -import ( - "github.com/rancher/norman/types" -) - const ( AuthTokenType = "authToken" AuthTokenFieldAnnotations = "annotations" @@ -19,7 +15,6 @@ const ( ) type AuthToken struct { - types.Resource Annotations map[string]string `json:"annotations,omitempty" yaml:"annotations,omitempty"` Created string `json:"created,omitempty" yaml:"created,omitempty"` CreatorID string `json:"creatorId,omitempty" yaml:"creatorId,omitempty"` @@ -31,92 +26,3 @@ type AuthToken struct { Token string `json:"token,omitempty" yaml:"token,omitempty"` UUID string `json:"uuid,omitempty" yaml:"uuid,omitempty"` } - -type AuthTokenCollection struct { - types.Collection - Data []AuthToken `json:"data,omitempty"` - client *AuthTokenClient -} - -type AuthTokenClient struct { - apiClient *Client -} - -type AuthTokenOperations interface { - List(opts *types.ListOpts) (*AuthTokenCollection, error) - ListAll(opts *types.ListOpts) (*AuthTokenCollection, error) - Create(opts *AuthToken) (*AuthToken, error) - Update(existing *AuthToken, updates interface{}) (*AuthToken, error) - Replace(existing *AuthToken) (*AuthToken, error) - ByID(id string) (*AuthToken, error) - Delete(container *AuthToken) error -} - -func newAuthTokenClient(apiClient *Client) *AuthTokenClient { - return &AuthTokenClient{ - apiClient: apiClient, - } -} - -func (c *AuthTokenClient) Create(container *AuthToken) (*AuthToken, error) { - resp := &AuthToken{} - err := c.apiClient.Ops.DoCreate(AuthTokenType, container, resp) - return resp, err -} - -func (c *AuthTokenClient) Update(existing *AuthToken, updates interface{}) (*AuthToken, error) { - resp := &AuthToken{} - err := c.apiClient.Ops.DoUpdate(AuthTokenType, &existing.Resource, updates, resp) - return resp, err -} - -func (c *AuthTokenClient) Replace(obj *AuthToken) (*AuthToken, error) { - resp := &AuthToken{} - err := c.apiClient.Ops.DoReplace(AuthTokenType, &obj.Resource, obj, resp) - return resp, err -} - -func (c *AuthTokenClient) List(opts *types.ListOpts) (*AuthTokenCollection, error) { - resp := &AuthTokenCollection{} - err := c.apiClient.Ops.DoList(AuthTokenType, opts, resp) - resp.client = c - return resp, err -} - -func (c *AuthTokenClient) ListAll(opts *types.ListOpts) (*AuthTokenCollection, error) { - resp := &AuthTokenCollection{} - resp, err := c.List(opts) - if err != nil { - return resp, err - } - data := resp.Data - for next, err := resp.Next(); next != nil && err == nil; next, err = next.Next() { - data = append(data, next.Data...) - resp = next - resp.Data = data - } - if err != nil { - return resp, err - } - return resp, err -} - -func (cc *AuthTokenCollection) Next() (*AuthTokenCollection, error) { - if cc != nil && cc.Pagination != nil && cc.Pagination.Next != "" { - resp := &AuthTokenCollection{} - err := cc.client.apiClient.Ops.DoNext(cc.Pagination.Next, resp) - resp.client = cc.client - return resp, err - } - return nil, nil -} - -func (c *AuthTokenClient) ByID(id string) (*AuthToken, error) { - resp := &AuthToken{} - err := c.apiClient.Ops.DoByID(AuthTokenType, id, resp) - return resp, err -} - -func (c *AuthTokenClient) Delete(container *AuthToken) error { - return c.apiClient.Ops.DoResourceDelete(AuthTokenType, &container.Resource) -}
pkg/client/generated/management/v3public/zz_generated_client.go+0 −2 modified@@ -7,7 +7,6 @@ import ( type Client struct { clientbase.APIBaseClient - AuthToken AuthTokenOperations AuthProvider AuthProviderOperations } @@ -21,7 +20,6 @@ func NewClient(opts *clientbase.ClientOpts) (*Client, error) { APIBaseClient: baseClient, } - client.AuthToken = newAuthTokenClient(client) client.AuthProvider = newAuthProviderClient(client) return client, nil
pkg/schemas/management.cattle.io/v3public/public_schema.go+1 −1 modified@@ -27,7 +27,7 @@ func authProvidersTypes(schemas *types.Schemas) *types.Schemas { schema.ResourceMethods = []string{} }). MustImportAndCustomize(&PublicVersion, v3.AuthToken{}, func(schema *types.Schema) { - schema.CollectionMethods = []string{http.MethodGet, http.MethodDelete} + schema.CollectionMethods = []string{} schema.ResourceMethods = []string{http.MethodGet, http.MethodDelete} }). MustImportAndCustomize(&PublicVersion, v3.AuthProvider{}, func(schema *types.Schema) {
dfa034d05a55[v2.9] Fix public authTokens endpoint (#48999)
4 files changed · +8 −112
pkg/auth/providers/publicapi/store.go+7 −15 modified@@ -1,6 +1,8 @@ package publicapi import ( + "fmt" + "github.com/rancher/norman/httperror" "github.com/rancher/norman/objectclient" "github.com/rancher/norman/store/empty" @@ -10,7 +12,7 @@ import ( v3 "github.com/rancher/rancher/pkg/generated/norman/management.cattle.io/v3" "github.com/rancher/rancher/pkg/namespace" "github.com/rancher/rancher/pkg/types/config" - "k8s.io/apimachinery/pkg/api/errors" + apierrors "k8s.io/apimachinery/pkg/api/errors" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" "k8s.io/apimachinery/pkg/runtime" @@ -79,27 +81,17 @@ type authTokensStore struct { func (t *authTokensStore) ByID(apiContext *types.APIContext, schema *types.Schema, id string) (map[string]interface{}, error) { token, err := t.tokens.GetNamespaced(namespace.GlobalNamespace, id, v1.GetOptions{}) if err != nil { + if apierrors.IsNotFound(err) { + return nil, httperror.NewAPIError(httperror.NotFound, fmt.Sprintf("token %s not found", id)) + } return nil, err } generated := transformToAuthToken(token) return generated, err } -func (t *authTokensStore) List(apiContext *types.APIContext, schema *types.Schema, opt *types.QueryOptions) ([]map[string]interface{}, error) { - tokens, err := t.tokens.ListNamespaced(namespace.GlobalNamespace, v1.ListOptions{}) - if err != nil { - return nil, err - } - var result []map[string]interface{} - for _, token := range tokens.Items { - generated := transformToAuthToken(&token) - result = append(result, generated) - } - return result, nil -} - func (t *authTokensStore) Delete(apiContext *types.APIContext, schema *types.Schema, id string) (map[string]interface{}, error) { - if err := t.tokens.DeleteNamespaced(namespace.GlobalNamespace, id, &v1.DeleteOptions{}); err != nil && !errors.IsNotFound(err) { + if err := t.tokens.DeleteNamespaced(namespace.GlobalNamespace, id, &v1.DeleteOptions{}); err != nil && !apierrors.IsNotFound(err) { return nil, err } return nil, nil
pkg/client/generated/management/v3public/zz_generated_auth_token.go+0 −94 modified@@ -1,9 +1,5 @@ package client -import ( - "github.com/rancher/norman/types" -) - const ( AuthTokenType = "authToken" AuthTokenFieldAnnotations = "annotations" @@ -19,7 +15,6 @@ const ( ) type AuthToken struct { - types.Resource Annotations map[string]string `json:"annotations,omitempty" yaml:"annotations,omitempty"` Created string `json:"created,omitempty" yaml:"created,omitempty"` CreatorID string `json:"creatorId,omitempty" yaml:"creatorId,omitempty"` @@ -31,92 +26,3 @@ type AuthToken struct { Token string `json:"token,omitempty" yaml:"token,omitempty"` UUID string `json:"uuid,omitempty" yaml:"uuid,omitempty"` } - -type AuthTokenCollection struct { - types.Collection - Data []AuthToken `json:"data,omitempty"` - client *AuthTokenClient -} - -type AuthTokenClient struct { - apiClient *Client -} - -type AuthTokenOperations interface { - List(opts *types.ListOpts) (*AuthTokenCollection, error) - ListAll(opts *types.ListOpts) (*AuthTokenCollection, error) - Create(opts *AuthToken) (*AuthToken, error) - Update(existing *AuthToken, updates interface{}) (*AuthToken, error) - Replace(existing *AuthToken) (*AuthToken, error) - ByID(id string) (*AuthToken, error) - Delete(container *AuthToken) error -} - -func newAuthTokenClient(apiClient *Client) *AuthTokenClient { - return &AuthTokenClient{ - apiClient: apiClient, - } -} - -func (c *AuthTokenClient) Create(container *AuthToken) (*AuthToken, error) { - resp := &AuthToken{} - err := c.apiClient.Ops.DoCreate(AuthTokenType, container, resp) - return resp, err -} - -func (c *AuthTokenClient) Update(existing *AuthToken, updates interface{}) (*AuthToken, error) { - resp := &AuthToken{} - err := c.apiClient.Ops.DoUpdate(AuthTokenType, &existing.Resource, updates, resp) - return resp, err -} - -func (c *AuthTokenClient) Replace(obj *AuthToken) (*AuthToken, error) { - resp := &AuthToken{} - err := c.apiClient.Ops.DoReplace(AuthTokenType, &obj.Resource, obj, resp) - return resp, err -} - -func (c *AuthTokenClient) List(opts *types.ListOpts) (*AuthTokenCollection, error) { - resp := &AuthTokenCollection{} - err := c.apiClient.Ops.DoList(AuthTokenType, opts, resp) - resp.client = c - return resp, err -} - -func (c *AuthTokenClient) ListAll(opts *types.ListOpts) (*AuthTokenCollection, error) { - resp := &AuthTokenCollection{} - resp, err := c.List(opts) - if err != nil { - return resp, err - } - data := resp.Data - for next, err := resp.Next(); next != nil && err == nil; next, err = next.Next() { - data = append(data, next.Data...) - resp = next - resp.Data = data - } - if err != nil { - return resp, err - } - return resp, err -} - -func (cc *AuthTokenCollection) Next() (*AuthTokenCollection, error) { - if cc != nil && cc.Pagination != nil && cc.Pagination.Next != "" { - resp := &AuthTokenCollection{} - err := cc.client.apiClient.Ops.DoNext(cc.Pagination.Next, resp) - resp.client = cc.client - return resp, err - } - return nil, nil -} - -func (c *AuthTokenClient) ByID(id string) (*AuthToken, error) { - resp := &AuthToken{} - err := c.apiClient.Ops.DoByID(AuthTokenType, id, resp) - return resp, err -} - -func (c *AuthTokenClient) Delete(container *AuthToken) error { - return c.apiClient.Ops.DoResourceDelete(AuthTokenType, &container.Resource) -}
pkg/client/generated/management/v3public/zz_generated_client.go+0 −2 modified@@ -7,7 +7,6 @@ import ( type Client struct { clientbase.APIBaseClient - AuthToken AuthTokenOperations AuthProvider AuthProviderOperations } @@ -21,7 +20,6 @@ func NewClient(opts *clientbase.ClientOpts) (*Client, error) { APIBaseClient: baseClient, } - client.AuthToken = newAuthTokenClient(client) client.AuthProvider = newAuthProviderClient(client) return client, nil
pkg/schemas/management.cattle.io/v3public/public_schema.go+1 −1 modified@@ -27,7 +27,7 @@ func authProvidersTypes(schemas *types.Schemas) *types.Schemas { schema.ResourceMethods = []string{} }). MustImportAndCustomize(&PublicVersion, v3.AuthToken{}, func(schema *types.Schema) { - schema.CollectionMethods = []string{http.MethodGet, http.MethodDelete} + schema.CollectionMethods = []string{} schema.ResourceMethods = []string{http.MethodGet, http.MethodDelete} }). MustImportAndCustomize(&PublicVersion, v3.AuthProvider{}, func(schema *types.Schema) {
ceeedb1aa67c[v2.10] Fix public authTokens endpoint (#48998)
4 files changed · +8 −112
pkg/auth/providers/publicapi/store.go+7 −15 modified@@ -1,6 +1,8 @@ package publicapi import ( + "fmt" + "github.com/rancher/norman/httperror" "github.com/rancher/norman/objectclient" "github.com/rancher/norman/store/empty" @@ -10,7 +12,7 @@ import ( v3 "github.com/rancher/rancher/pkg/generated/norman/management.cattle.io/v3" "github.com/rancher/rancher/pkg/namespace" "github.com/rancher/rancher/pkg/types/config" - "k8s.io/apimachinery/pkg/api/errors" + apierrors "k8s.io/apimachinery/pkg/api/errors" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" "k8s.io/apimachinery/pkg/runtime" @@ -79,27 +81,17 @@ type authTokensStore struct { func (t *authTokensStore) ByID(apiContext *types.APIContext, schema *types.Schema, id string) (map[string]interface{}, error) { token, err := t.tokens.GetNamespaced(namespace.GlobalNamespace, id, v1.GetOptions{}) if err != nil { + if apierrors.IsNotFound(err) { + return nil, httperror.NewAPIError(httperror.NotFound, fmt.Sprintf("token %s not found", id)) + } return nil, err } generated := transformToAuthToken(token) return generated, err } -func (t *authTokensStore) List(apiContext *types.APIContext, schema *types.Schema, opt *types.QueryOptions) ([]map[string]interface{}, error) { - tokens, err := t.tokens.ListNamespaced(namespace.GlobalNamespace, v1.ListOptions{}) - if err != nil { - return nil, err - } - var result []map[string]interface{} - for _, token := range tokens.Items { - generated := transformToAuthToken(&token) - result = append(result, generated) - } - return result, nil -} - func (t *authTokensStore) Delete(apiContext *types.APIContext, schema *types.Schema, id string) (map[string]interface{}, error) { - if err := t.tokens.DeleteNamespaced(namespace.GlobalNamespace, id, &v1.DeleteOptions{}); err != nil && !errors.IsNotFound(err) { + if err := t.tokens.DeleteNamespaced(namespace.GlobalNamespace, id, &v1.DeleteOptions{}); err != nil && !apierrors.IsNotFound(err) { return nil, err } return nil, nil
pkg/client/generated/management/v3public/zz_generated_auth_token.go+0 −94 modified@@ -1,9 +1,5 @@ package client -import ( - "github.com/rancher/norman/types" -) - const ( AuthTokenType = "authToken" AuthTokenFieldAnnotations = "annotations" @@ -19,7 +15,6 @@ const ( ) type AuthToken struct { - types.Resource Annotations map[string]string `json:"annotations,omitempty" yaml:"annotations,omitempty"` Created string `json:"created,omitempty" yaml:"created,omitempty"` CreatorID string `json:"creatorId,omitempty" yaml:"creatorId,omitempty"` @@ -31,92 +26,3 @@ type AuthToken struct { Token string `json:"token,omitempty" yaml:"token,omitempty"` UUID string `json:"uuid,omitempty" yaml:"uuid,omitempty"` } - -type AuthTokenCollection struct { - types.Collection - Data []AuthToken `json:"data,omitempty"` - client *AuthTokenClient -} - -type AuthTokenClient struct { - apiClient *Client -} - -type AuthTokenOperations interface { - List(opts *types.ListOpts) (*AuthTokenCollection, error) - ListAll(opts *types.ListOpts) (*AuthTokenCollection, error) - Create(opts *AuthToken) (*AuthToken, error) - Update(existing *AuthToken, updates interface{}) (*AuthToken, error) - Replace(existing *AuthToken) (*AuthToken, error) - ByID(id string) (*AuthToken, error) - Delete(container *AuthToken) error -} - -func newAuthTokenClient(apiClient *Client) *AuthTokenClient { - return &AuthTokenClient{ - apiClient: apiClient, - } -} - -func (c *AuthTokenClient) Create(container *AuthToken) (*AuthToken, error) { - resp := &AuthToken{} - err := c.apiClient.Ops.DoCreate(AuthTokenType, container, resp) - return resp, err -} - -func (c *AuthTokenClient) Update(existing *AuthToken, updates interface{}) (*AuthToken, error) { - resp := &AuthToken{} - err := c.apiClient.Ops.DoUpdate(AuthTokenType, &existing.Resource, updates, resp) - return resp, err -} - -func (c *AuthTokenClient) Replace(obj *AuthToken) (*AuthToken, error) { - resp := &AuthToken{} - err := c.apiClient.Ops.DoReplace(AuthTokenType, &obj.Resource, obj, resp) - return resp, err -} - -func (c *AuthTokenClient) List(opts *types.ListOpts) (*AuthTokenCollection, error) { - resp := &AuthTokenCollection{} - err := c.apiClient.Ops.DoList(AuthTokenType, opts, resp) - resp.client = c - return resp, err -} - -func (c *AuthTokenClient) ListAll(opts *types.ListOpts) (*AuthTokenCollection, error) { - resp := &AuthTokenCollection{} - resp, err := c.List(opts) - if err != nil { - return resp, err - } - data := resp.Data - for next, err := resp.Next(); next != nil && err == nil; next, err = next.Next() { - data = append(data, next.Data...) - resp = next - resp.Data = data - } - if err != nil { - return resp, err - } - return resp, err -} - -func (cc *AuthTokenCollection) Next() (*AuthTokenCollection, error) { - if cc != nil && cc.Pagination != nil && cc.Pagination.Next != "" { - resp := &AuthTokenCollection{} - err := cc.client.apiClient.Ops.DoNext(cc.Pagination.Next, resp) - resp.client = cc.client - return resp, err - } - return nil, nil -} - -func (c *AuthTokenClient) ByID(id string) (*AuthToken, error) { - resp := &AuthToken{} - err := c.apiClient.Ops.DoByID(AuthTokenType, id, resp) - return resp, err -} - -func (c *AuthTokenClient) Delete(container *AuthToken) error { - return c.apiClient.Ops.DoResourceDelete(AuthTokenType, &container.Resource) -}
pkg/client/generated/management/v3public/zz_generated_client.go+0 −2 modified@@ -7,7 +7,6 @@ import ( type Client struct { clientbase.APIBaseClient - AuthToken AuthTokenOperations AuthProvider AuthProviderOperations } @@ -21,7 +20,6 @@ func NewClient(opts *clientbase.ClientOpts) (*Client, error) { APIBaseClient: baseClient, } - client.AuthToken = newAuthTokenClient(client) client.AuthProvider = newAuthProviderClient(client) return client, nil
pkg/schemas/management.cattle.io/v3public/public_schema.go+1 −1 modified@@ -27,7 +27,7 @@ func authProvidersTypes(schemas *types.Schemas) *types.Schemas { schema.ResourceMethods = []string{} }). MustImportAndCustomize(&PublicVersion, v3.AuthToken{}, func(schema *types.Schema) { - schema.CollectionMethods = []string{http.MethodGet, http.MethodDelete} + schema.CollectionMethods = []string{} schema.ResourceMethods = []string{http.MethodGet, http.MethodDelete} }). MustImportAndCustomize(&PublicVersion, v3.AuthProvider{}, func(schema *types.Schema) {
bedd911b9b32Fix public authTokens endpoint (#48616)
4 files changed · +8 −112
pkg/auth/providers/publicapi/store.go+7 −15 modified@@ -1,6 +1,8 @@ package publicapi import ( + "fmt" + "github.com/rancher/norman/httperror" "github.com/rancher/norman/objectclient" "github.com/rancher/norman/store/empty" @@ -10,7 +12,7 @@ import ( v3 "github.com/rancher/rancher/pkg/generated/norman/management.cattle.io/v3" "github.com/rancher/rancher/pkg/namespace" "github.com/rancher/rancher/pkg/types/config" - "k8s.io/apimachinery/pkg/api/errors" + apierrors "k8s.io/apimachinery/pkg/api/errors" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" "k8s.io/apimachinery/pkg/runtime" @@ -79,27 +81,17 @@ type authTokensStore struct { func (t *authTokensStore) ByID(apiContext *types.APIContext, schema *types.Schema, id string) (map[string]interface{}, error) { token, err := t.tokens.GetNamespaced(namespace.GlobalNamespace, id, v1.GetOptions{}) if err != nil { + if apierrors.IsNotFound(err) { + return nil, httperror.NewAPIError(httperror.NotFound, fmt.Sprintf("token %s not found", id)) + } return nil, err } generated := transformToAuthToken(token) return generated, err } -func (t *authTokensStore) List(apiContext *types.APIContext, schema *types.Schema, opt *types.QueryOptions) ([]map[string]interface{}, error) { - tokens, err := t.tokens.ListNamespaced(namespace.GlobalNamespace, v1.ListOptions{}) - if err != nil { - return nil, err - } - var result []map[string]interface{} - for _, token := range tokens.Items { - generated := transformToAuthToken(&token) - result = append(result, generated) - } - return result, nil -} - func (t *authTokensStore) Delete(apiContext *types.APIContext, schema *types.Schema, id string) (map[string]interface{}, error) { - if err := t.tokens.DeleteNamespaced(namespace.GlobalNamespace, id, &v1.DeleteOptions{}); err != nil && !errors.IsNotFound(err) { + if err := t.tokens.DeleteNamespaced(namespace.GlobalNamespace, id, &v1.DeleteOptions{}); err != nil && !apierrors.IsNotFound(err) { return nil, err } return nil, nil
pkg/client/generated/management/v3public/zz_generated_auth_token.go+0 −94 modified@@ -1,9 +1,5 @@ package client -import ( - "github.com/rancher/norman/types" -) - const ( AuthTokenType = "authToken" AuthTokenFieldAnnotations = "annotations" @@ -19,7 +15,6 @@ const ( ) type AuthToken struct { - types.Resource Annotations map[string]string `json:"annotations,omitempty" yaml:"annotations,omitempty"` Created string `json:"created,omitempty" yaml:"created,omitempty"` CreatorID string `json:"creatorId,omitempty" yaml:"creatorId,omitempty"` @@ -31,92 +26,3 @@ type AuthToken struct { Token string `json:"token,omitempty" yaml:"token,omitempty"` UUID string `json:"uuid,omitempty" yaml:"uuid,omitempty"` } - -type AuthTokenCollection struct { - types.Collection - Data []AuthToken `json:"data,omitempty"` - client *AuthTokenClient -} - -type AuthTokenClient struct { - apiClient *Client -} - -type AuthTokenOperations interface { - List(opts *types.ListOpts) (*AuthTokenCollection, error) - ListAll(opts *types.ListOpts) (*AuthTokenCollection, error) - Create(opts *AuthToken) (*AuthToken, error) - Update(existing *AuthToken, updates interface{}) (*AuthToken, error) - Replace(existing *AuthToken) (*AuthToken, error) - ByID(id string) (*AuthToken, error) - Delete(container *AuthToken) error -} - -func newAuthTokenClient(apiClient *Client) *AuthTokenClient { - return &AuthTokenClient{ - apiClient: apiClient, - } -} - -func (c *AuthTokenClient) Create(container *AuthToken) (*AuthToken, error) { - resp := &AuthToken{} - err := c.apiClient.Ops.DoCreate(AuthTokenType, container, resp) - return resp, err -} - -func (c *AuthTokenClient) Update(existing *AuthToken, updates interface{}) (*AuthToken, error) { - resp := &AuthToken{} - err := c.apiClient.Ops.DoUpdate(AuthTokenType, &existing.Resource, updates, resp) - return resp, err -} - -func (c *AuthTokenClient) Replace(obj *AuthToken) (*AuthToken, error) { - resp := &AuthToken{} - err := c.apiClient.Ops.DoReplace(AuthTokenType, &obj.Resource, obj, resp) - return resp, err -} - -func (c *AuthTokenClient) List(opts *types.ListOpts) (*AuthTokenCollection, error) { - resp := &AuthTokenCollection{} - err := c.apiClient.Ops.DoList(AuthTokenType, opts, resp) - resp.client = c - return resp, err -} - -func (c *AuthTokenClient) ListAll(opts *types.ListOpts) (*AuthTokenCollection, error) { - resp := &AuthTokenCollection{} - resp, err := c.List(opts) - if err != nil { - return resp, err - } - data := resp.Data - for next, err := resp.Next(); next != nil && err == nil; next, err = next.Next() { - data = append(data, next.Data...) - resp = next - resp.Data = data - } - if err != nil { - return resp, err - } - return resp, err -} - -func (cc *AuthTokenCollection) Next() (*AuthTokenCollection, error) { - if cc != nil && cc.Pagination != nil && cc.Pagination.Next != "" { - resp := &AuthTokenCollection{} - err := cc.client.apiClient.Ops.DoNext(cc.Pagination.Next, resp) - resp.client = cc.client - return resp, err - } - return nil, nil -} - -func (c *AuthTokenClient) ByID(id string) (*AuthToken, error) { - resp := &AuthToken{} - err := c.apiClient.Ops.DoByID(AuthTokenType, id, resp) - return resp, err -} - -func (c *AuthTokenClient) Delete(container *AuthToken) error { - return c.apiClient.Ops.DoResourceDelete(AuthTokenType, &container.Resource) -}
pkg/client/generated/management/v3public/zz_generated_client.go+0 −2 modified@@ -7,7 +7,6 @@ import ( type Client struct { clientbase.APIBaseClient - AuthToken AuthTokenOperations AuthProvider AuthProviderOperations } @@ -21,7 +20,6 @@ func NewClient(opts *clientbase.ClientOpts) (*Client, error) { APIBaseClient: baseClient, } - client.AuthToken = newAuthTokenClient(client) client.AuthProvider = newAuthProviderClient(client) return client, nil
pkg/schemas/management.cattle.io/v3public/public_schema.go+1 −1 modified@@ -27,7 +27,7 @@ func authProvidersTypes(schemas *types.Schemas) *types.Schemas { schema.ResourceMethods = []string{} }). MustImportAndCustomize(&PublicVersion, v3.AuthToken{}, func(schema *types.Schema) { - schema.CollectionMethods = []string{http.MethodGet, http.MethodDelete} + schema.CollectionMethods = []string{} schema.ResourceMethods = []string{http.MethodGet, http.MethodDelete} }). MustImportAndCustomize(&PublicVersion, v3.AuthProvider{}, func(schema *types.Schema) {
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
15- github.com/advisories/GHSA-5qmp-9x47-92q8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-23387ghsaADVISORY
- bugzilla.suse.com/show_bug.cginvdWEB
- github.com/rancher/rancher/commit/2481630c4a5a75d81eb69d10d7558ea833395a1eghsaWEB
- github.com/rancher/rancher/commit/bedd911b9b321436faa2d9e20a161f6ac396aa74ghsaWEB
- github.com/rancher/rancher/commit/ceeedb1aa67c319f4873615f19c3f56a66f39706ghsaWEB
- github.com/rancher/rancher/commit/dfa034d05a55b5e57990a1f700176dcd8e963dbcghsaWEB
- github.com/rancher/rancher/pull/48616ghsaWEB
- github.com/rancher/rancher/pull/48998ghsaWEB
- github.com/rancher/rancher/pull/48999ghsaWEB
- github.com/rancher/rancher/pull/49000ghsaWEB
- github.com/rancher/rancher/releases/tag/v2.10.3ghsaWEB
- github.com/rancher/rancher/releases/tag/v2.8.13ghsaWEB
- github.com/rancher/rancher/releases/tag/v2.9.7ghsaWEB
- github.com/rancher/rancher/security/advisories/GHSA-5qmp-9x47-92q8nvdWEB
News mentions
0No linked articles in our index yet.