{ "schema_version": "1.4.0", "id": "GHSA-95fc-g4gj-mqmx", "modified": "2025-05-05T22:02:01Z", "published": "2025-04-25T15:12:44Z", "aliases": [ "CVE-2023-32198" ], "summary": "Steve doesn’t verify a server’s certificate and is susceptible to man-in-the-middle (MitM) attacks", "details": "### Impact\nA vulnerability has been identified in Steve where by default it was using an insecure option that did not validate the certificate presented by the remote server while performing a TLS connection. This could allow the execution of a man-in-the-middle (MitM) attack against services using Steve.\n\nFor example, Rancher relies on Steve as a dependency for its user interface (UI) to proxy requests to Kubernetes clusters. Users who have the permission to create a service in Rancher’s local cluster can take over Rancher’s UI and display their own UI to gather sensitive information. This is only possible when the setting `ui-offline-preferred` is manually set to `remote` (by default Rancher sets it to `dynamic`). This enables further attacks such as cross-site scripting (XSS), or tampering the UI to collect passwords from other users etc.\n\nPlease consult the associated [MITRE ATT&CK - Technique - Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557/) for further information about this category of attack.\n\n### Patches\nPatched versions of Steve include releases `v0.2.1`, `v0.3.3`, `v0.4.4` and `v0.5.13`.\n\nThis vulnerability is addressed by changing Steve to always verify a server’s certificate based on Go’s TLS settings.\n\n### Workarounds\nIf you can't upgrade to a fixed version, please make sure that you are only using Steve to connect to trusted servers.\n\n### References\nIf you have any questions or comments about this advisory:\n- Reach out to the [SUSE Rancher Security team](https://github.com/rancher/rancher/security/policy) for security related inquiries.\n- Open an issue in the [Rancher](https://github.com/rancher/rancher/issues/new/choose) repository.\n- Verify with our [support matrix](https://www.suse.com/suse-rancher/support-matrix/all-supported-versions/) and [product support lifecycle](https://www.suse.com/lifecycle/).", "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H" } ], "affected": [ { "package": { "ecosystem": "Go", "name": "github.com/rancher/steve" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0.2.0" }, { "fixed": "0.2.1" } ] } ] }, { "package": { "ecosystem": "Go", "name": "github.com/rancher/steve" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0.3.0" }, { "fixed": "0.3.3" } ] } ] }, { "package": { "ecosystem": "Go", "name": "github.com/rancher/steve" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0.4.0" }, { "fixed": "0.4.4" } ] } ] }, { "package": { "ecosystem": "Go", "name": "github.com/rancher/steve" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0.5.0" }, { "fixed": "0.5.13" } ] } ] } ], "references": [ { "type": "WEB", "url": "https://github.com/rancher/steve/security/advisories/GHSA-95fc-g4gj-mqmx" }, { "type": "PACKAGE", "url": "https://github.com/rancher/steve" }, { "type": "WEB", "url": "https://pkg.go.dev/vuln/GO-2025-3648" } ], "database_specific": { "cwe_ids": [ "CWE-295" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2025-04-25T15:12:44Z", "nvd_published_at": null } }