Security policy

Rancher Labs supports responsible disclosure, and endeavours to resolve all issues in a reasonable time frame.

Reporting process

Please submit possible security issues by emailing security@rancher.com

Announcments

Subscribe to the Rancher announcements forum for release updates.

Rancher Vulnerabilities

ID Description Date Resolution
CVE-2018-20321 Any project member with access to the default namespace can mount the netes-default service account in a pod and then use that pod to execute administrative privileged commands against the Kubernetes cluster. 29 Jan 2019 Rancher v2.1.6 and Rancher v2.0.11 - Rolling back from these versions or greater have specific instructions.
CVE-2019-6287 Project members continue to get access to namespaces from projects that they were removed from if they were added to more than one project. 29 Jan 2019 Rancher v2.1.6 and Rancher v2.0.11