public/rancher-docs
1
0
Fork 0
mirror of https://github.com/rancher/rancher-docs.git synced 2026-05-06 05:03:27 +00:00
Code Issues Packages Projects Releases Wiki Activity

Adding CVEs for April release to relevant release notes and CVE pages.

Browse Source 
Signed-off-by: Sunil Singh <sunil.singh@suse.com>
This commit is contained in:
Sunil Singh
2026-04-30 14:11:31 -07:00
parent e730f390d8
commit 37d85a3833
5 changed files with 5 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
docs/reference-guides/rancher-security/security-advisories-and-cves.md
+1
View File
@@ -10,6 +10,7 @@ Rancher is committed to informing the community of security issues in our produc
| ID | Description | Date | Resolution |
|----|-------------|------|------------|
| [CVE-2026-25705](https://github.com/rancher/rancher/security/advisories/GHSA-5v3h-x4wf-5c35) | Rancher now protects against arbitrary file access via path traversal in Rancher Extensions. Note by default only users with administrative permissions can deploy UI extensions unless explicit permission is granted to other users. | 30 Apr 2026 | Rancher [v2.14.1](https://github.com/rancher/rancher/releases/tag/v2.14.1), [v2.13.5](https://github.com/rancher/rancher/releases/tag/v2.13.5), [v2.12.9](https://github.com/rancher/rancher/releases/tag/v2.12.9), and [v2.11.13](https://github.com/rancher/rancher/releases/tag/v2.11.13) |
| [CVE-2025-62879](https://github.com/rancher/backup-restore-operator/security/advisories/GHSA-wj3p-5h3x-c74q) | Rancher now provides new versions of the Rancher Backup chart which prevent the leak of secret S3 credentials via the Rancher Backup pod log. | 29 Jan 2026 | Rancher [v2.13.2](https://github.com/rancher/rancher/releases/tag/v2.13.2), [v2.12.6](https://github.com/rancher/rancher/releases/tag/v2.12.6), [v2.11.10](https://github.com/rancher/rancher/releases/tag/v2.11.10), and [v2.10.11](https://github.com/rancher/rancher/releases/tag/v2.10.11) |
| [CVE-2025-67601](https://github.com/rancher/rancher/security/advisories/GHSA-mc24-7m59-4q5p) | Rancher now removes the ability to fetch CA certificates stored in Ranchers setting `cacerts` when using the `login` command. | 29 Jan 2026 | Rancher [v2.13.2](https://github.com/rancher/rancher/releases/tag/v2.13.2), [v2.12.6](https://github.com/rancher/rancher/releases/tag/v2.12.6), [v2.11.10](https://github.com/rancher/rancher/releases/tag/v2.11.10), and [v2.10.11](https://github.com/rancher/rancher/releases/tag/v2.10.11) |
| [CVE-2023-32199](https://github.com/rancher/rancher/security/advisories/GHSA-j4vr-pcmw-hx59) | Rancher now removes the corresponding ClusterRoleBindings whenever the admin GlobalRole or its GlobalRoleBindings are deleted. Previously orphaned ClusterRoleBindings were marked with the annotation `authz.cluster.cattle.io/admin-globalrole-missing=true`. | 23 Oct 2025 | Rancher [v2.12.3](https://github.com/rancher/rancher/releases/tag/v2.12.3) and [v2.11.7](https://github.com/rancher/rancher/releases/tag/v2.11.7) |
versioned_docs/version-2.11/reference-guides/rancher-security/security-advisories-and-cves.md
+1
View File
@@ -10,6 +10,7 @@ Rancher is committed to informing the community of security issues in our produc
| ID | Description | Date | Resolution |
|----|-------------|------|------------|
| [CVE-2026-25705](https://github.com/rancher/rancher/security/advisories/GHSA-5v3h-x4wf-5c35) | Rancher now protects against arbitrary file access via path traversal in Rancher Extensions. Note by default only users with administrative permissions can deploy UI extensions unless explicit permission is granted to other users. | 30 Apr 2026 | Rancher [v2.14.1](https://github.com/rancher/rancher/releases/tag/v2.14.1), [v2.13.5](https://github.com/rancher/rancher/releases/tag/v2.13.5), [v2.12.9](https://github.com/rancher/rancher/releases/tag/v2.12.9), and [v2.11.13](https://github.com/rancher/rancher/releases/tag/v2.11.13) |
| [CVE-2025-62879](https://github.com/rancher/backup-restore-operator/security/advisories/GHSA-wj3p-5h3x-c74q) | Rancher now provides new versions of the Rancher Backup chart which prevent the leak of secret S3 credentials via the Rancher Backup pod log. | 29 Jan 2026 | Rancher [v2.13.2](https://github.com/rancher/rancher/releases/tag/v2.13.2), [v2.12.6](https://github.com/rancher/rancher/releases/tag/v2.12.6), [v2.11.10](https://github.com/rancher/rancher/releases/tag/v2.11.10), and [v2.10.11](https://github.com/rancher/rancher/releases/tag/v2.10.11) |
| [CVE-2025-67601](https://github.com/rancher/rancher/security/advisories/GHSA-mc24-7m59-4q5p) | Rancher now removes the ability to fetch CA certificates stored in Ranchers setting `cacerts` when using the `login` command. | 29 Jan 2026 | Rancher [v2.13.2](https://github.com/rancher/rancher/releases/tag/v2.13.2), [v2.12.6](https://github.com/rancher/rancher/releases/tag/v2.12.6), [v2.11.10](https://github.com/rancher/rancher/releases/tag/v2.11.10), and [v2.10.11](https://github.com/rancher/rancher/releases/tag/v2.10.11) |
| [CVE-2023-32199](https://github.com/rancher/rancher/security/advisories/GHSA-j4vr-pcmw-hx59) | Rancher now removes the corresponding ClusterRoleBindings whenever the admin GlobalRole or its GlobalRoleBindings are deleted. Previously orphaned ClusterRoleBindings were marked with the annotation `authz.cluster.cattle.io/admin-globalrole-missing=true`. | 23 Oct 2025 | Rancher [v2.12.3](https://github.com/rancher/rancher/releases/tag/v2.12.3) and [v2.11.7](https://github.com/rancher/rancher/releases/tag/v2.11.7) |
versioned_docs/version-2.12/reference-guides/rancher-security/security-advisories-and-cves.md
+1
View File
@@ -10,6 +10,7 @@ Rancher is committed to informing the community of security issues in our produc
| ID | Description | Date | Resolution |
|----|-------------|------|------------|
| [CVE-2026-25705](https://github.com/rancher/rancher/security/advisories/GHSA-5v3h-x4wf-5c35) | Rancher now protects against arbitrary file access via path traversal in Rancher Extensions. Note by default only users with administrative permissions can deploy UI extensions unless explicit permission is granted to other users. | 30 Apr 2026 | Rancher [v2.14.1](https://github.com/rancher/rancher/releases/tag/v2.14.1), [v2.13.5](https://github.com/rancher/rancher/releases/tag/v2.13.5), [v2.12.9](https://github.com/rancher/rancher/releases/tag/v2.12.9), and [v2.11.13](https://github.com/rancher/rancher/releases/tag/v2.11.13) |
| [CVE-2025-62879](https://github.com/rancher/backup-restore-operator/security/advisories/GHSA-wj3p-5h3x-c74q) | Rancher now provides new versions of the Rancher Backup chart which prevent the leak of secret S3 credentials via the Rancher Backup pod log. | 29 Jan 2026 | Rancher [v2.13.2](https://github.com/rancher/rancher/releases/tag/v2.13.2), [v2.12.6](https://github.com/rancher/rancher/releases/tag/v2.12.6), [v2.11.10](https://github.com/rancher/rancher/releases/tag/v2.11.10), and [v2.10.11](https://github.com/rancher/rancher/releases/tag/v2.10.11) |
| [CVE-2025-67601](https://github.com/rancher/rancher/security/advisories/GHSA-mc24-7m59-4q5p) | Rancher now removes the ability to fetch CA certificates stored in Ranchers setting `cacerts` when using the `login` command. | 29 Jan 2026 | Rancher [v2.13.2](https://github.com/rancher/rancher/releases/tag/v2.13.2), [v2.12.6](https://github.com/rancher/rancher/releases/tag/v2.12.6), [v2.11.10](https://github.com/rancher/rancher/releases/tag/v2.11.10), and [v2.10.11](https://github.com/rancher/rancher/releases/tag/v2.10.11) |
| [CVE-2023-32199](https://github.com/rancher/rancher/security/advisories/GHSA-j4vr-pcmw-hx59) | Rancher now removes the corresponding ClusterRoleBindings whenever the admin GlobalRole or its GlobalRoleBindings are deleted. Previously orphaned ClusterRoleBindings were marked with the annotation `authz.cluster.cattle.io/admin-globalrole-missing=true`. | 23 Oct 2025 | Rancher [v2.12.3](https://github.com/rancher/rancher/releases/tag/v2.12.3) and [v2.11.7](https://github.com/rancher/rancher/releases/tag/v2.11.7) |
versioned_docs/version-2.13/reference-guides/rancher-security/security-advisories-and-cves.md
+1
View File
@@ -10,6 +10,7 @@ Rancher is committed to informing the community of security issues in our produc
| ID | Description | Date | Resolution |
|----|-------------|------|------------|
| [CVE-2026-25705](https://github.com/rancher/rancher/security/advisories/GHSA-5v3h-x4wf-5c35) | Rancher now protects against arbitrary file access via path traversal in Rancher Extensions. Note by default only users with administrative permissions can deploy UI extensions unless explicit permission is granted to other users. | 30 Apr 2026 | Rancher [v2.14.1](https://github.com/rancher/rancher/releases/tag/v2.14.1), [v2.13.5](https://github.com/rancher/rancher/releases/tag/v2.13.5), [v2.12.9](https://github.com/rancher/rancher/releases/tag/v2.12.9), and [v2.11.13](https://github.com/rancher/rancher/releases/tag/v2.11.13) |
| [CVE-2025-62879](https://github.com/rancher/backup-restore-operator/security/advisories/GHSA-wj3p-5h3x-c74q) | Rancher now provides new versions of the Rancher Backup chart which prevent the leak of secret S3 credentials via the Rancher Backup pod log. | 29 Jan 2026 | Rancher [v2.13.2](https://github.com/rancher/rancher/releases/tag/v2.13.2), [v2.12.6](https://github.com/rancher/rancher/releases/tag/v2.12.6), [v2.11.10](https://github.com/rancher/rancher/releases/tag/v2.11.10), and [v2.10.11](https://github.com/rancher/rancher/releases/tag/v2.10.11) |
| [CVE-2025-67601](https://github.com/rancher/rancher/security/advisories/GHSA-mc24-7m59-4q5p) | Rancher now removes the ability to fetch CA certificates stored in Ranchers setting `cacerts` when using the `login` command. | 29 Jan 2026 | Rancher [v2.13.2](https://github.com/rancher/rancher/releases/tag/v2.13.2), [v2.12.6](https://github.com/rancher/rancher/releases/tag/v2.12.6), [v2.11.10](https://github.com/rancher/rancher/releases/tag/v2.11.10), and [v2.10.11](https://github.com/rancher/rancher/releases/tag/v2.10.11) |
| [CVE-2023-32199](https://github.com/rancher/rancher/security/advisories/GHSA-j4vr-pcmw-hx59) | Rancher now removes the corresponding ClusterRoleBindings whenever the admin GlobalRole or its GlobalRoleBindings are deleted. Previously orphaned ClusterRoleBindings were marked with the annotation `authz.cluster.cattle.io/admin-globalrole-missing=true`. | 23 Oct 2025 | Rancher [v2.12.3](https://github.com/rancher/rancher/releases/tag/v2.12.3) and [v2.11.7](https://github.com/rancher/rancher/releases/tag/v2.11.7) |
versioned_docs/version-2.14/reference-guides/rancher-security/security-advisories-and-cves.md
+1
View File
@@ -10,6 +10,7 @@ Rancher is committed to informing the community of security issues in our produc
| ID | Description | Date | Resolution |
|----|-------------|------|------------|
| [CVE-2026-25705](https://github.com/rancher/rancher/security/advisories/GHSA-5v3h-x4wf-5c35) | Rancher now protects against arbitrary file access via path traversal in Rancher Extensions. Note by default only users with administrative permissions can deploy UI extensions unless explicit permission is granted to other users. | 30 Apr 2026 | Rancher [v2.14.1](https://github.com/rancher/rancher/releases/tag/v2.14.1), [v2.13.5](https://github.com/rancher/rancher/releases/tag/v2.13.5), [v2.12.9](https://github.com/rancher/rancher/releases/tag/v2.12.9), and [v2.11.13](https://github.com/rancher/rancher/releases/tag/v2.11.13) |
| [CVE-2025-62879](https://github.com/rancher/backup-restore-operator/security/advisories/GHSA-wj3p-5h3x-c74q) | Rancher now provides new versions of the Rancher Backup chart which prevent the leak of secret S3 credentials via the Rancher Backup pod log. | 29 Jan 2026 | Rancher [v2.13.2](https://github.com/rancher/rancher/releases/tag/v2.13.2), [v2.12.6](https://github.com/rancher/rancher/releases/tag/v2.12.6), [v2.11.10](https://github.com/rancher/rancher/releases/tag/v2.11.10), and [v2.10.11](https://github.com/rancher/rancher/releases/tag/v2.10.11) |
| [CVE-2025-67601](https://github.com/rancher/rancher/security/advisories/GHSA-mc24-7m59-4q5p) | Rancher now removes the ability to fetch CA certificates stored in Ranchers setting `cacerts` when using the `login` command. | 29 Jan 2026 | Rancher [v2.13.2](https://github.com/rancher/rancher/releases/tag/v2.13.2), [v2.12.6](https://github.com/rancher/rancher/releases/tag/v2.12.6), [v2.11.10](https://github.com/rancher/rancher/releases/tag/v2.11.10), and [v2.10.11](https://github.com/rancher/rancher/releases/tag/v2.10.11) |
| [CVE-2023-32199](https://github.com/rancher/rancher/security/advisories/GHSA-j4vr-pcmw-hx59) | Rancher now removes the corresponding ClusterRoleBindings whenever the admin GlobalRole or its GlobalRoleBindings are deleted. Previously orphaned ClusterRoleBindings were marked with the annotation `authz.cluster.cattle.io/admin-globalrole-missing=true`. | 23 Oct 2025 | Rancher [v2.12.3](https://github.com/rancher/rancher/releases/tag/v2.12.3) and [v2.11.7](https://github.com/rancher/rancher/releases/tag/v2.11.7) |