CVE-2023-32192: 
Chainguard vulnerability analysis and mitigation

A vulnerability has been identified in which unauthenticated cross-site scripting (XSS) in the API Server's public API endpoint can be exploited, allowing an attacker to execute arbitrary JavaScript code in the victim browser. This vulnerability is tracked as CVE-2023-32192 and was disclosed on February 8, 2024. The vulnerability affects Rancher API Server versions prior to the patched releases (GHSA Advisory).

The vulnerability is classified as a Reflected XSS attack where the API Server propagates malicious payloads from user input to the UI, which then renders the output. For example, a malicious URL can be rendered into a script that is executed on a page. The vulnerability has been assigned a CVSS v3.1 base score of 8.3 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L. The weakness is categorized as CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page) (SUSE Bug, GHSA Advisory).

The vulnerability allows attackers to execute arbitrary JavaScript code in victim browsers through the API Server's public API endpoint. This can lead to remote command execution through malicious script injection. The impact is rated as HIGH with potential for significant compromise of confidentiality and integrity of the affected system (GHSA Advisory).

The vulnerability has been patched in multiple branches with the following commits: master (4fd7d82), release/v2.8 (69b3c2b), release/v2.8.s3 (a3b9e37), release/v2.7 (4e102cf), release/v2.7.s3 (97a10a3), and release/v2.6 (4df268e). The fix includes encoding input from request URLs before adding it to the response and implementing proper JavaScript and CSS variable escaping using OWASP-defined attribute encoding. There are no direct mitigations available besides updating to a patched version (GHSA Advisory).