GHSA-95FC-G4GJ-MQMX
Vulnerability from github – Published: 2025-04-25 15:12 – Updated: 2025-05-05 22:02Impact
A vulnerability has been identified in Steve where by default it was using an insecure option that did not validate the certificate presented by the remote server while performing a TLS connection. This could allow the execution of a man-in-the-middle (MitM) attack against services using Steve.
For example, Rancher relies on Steve as a dependency for its user interface (UI) to proxy requests to Kubernetes clusters. Users who have the permission to create a service in Rancher’s local cluster can take over Rancher’s UI and display their own UI to gather sensitive information. This is only possible when the setting ui-offline-preferred is manually set to remote (by default Rancher sets it to dynamic). This enables further attacks such as cross-site scripting (XSS), or tampering the UI to collect passwords from other users etc.
Please consult the associated MITRE ATT&CK - Technique - Adversary-in-the-Middle for further information about this category of attack.
Patches
Patched versions of Steve include releases v0.2.1, v0.3.3, v0.4.4 and v0.5.13.
This vulnerability is addressed by changing Steve to always verify a server’s certificate based on Go’s TLS settings.
Workarounds
If you can't upgrade to a fixed version, please make sure that you are only using Steve to connect to trusted servers.
References
If you have any questions or comments about this advisory: - Reach out to the SUSE Rancher Security team for security related inquiries. - Open an issue in the Rancher repository. - Verify with our support matrix and product support lifecycle.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/rancher/steve"
},
"ranges": [
{
"events": [
{
"introduced": "0.2.0"
},
{
"fixed": "0.2.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/rancher/steve"
},
"ranges": [
{
"events": [
{
"introduced": "0.3.0"
},
{
"fixed": "0.3.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/rancher/steve"
},
"ranges": [
{
"events": [
{
"introduced": "0.4.0"
},
{
"fixed": "0.4.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/rancher/steve"
},
"ranges": [
{
"events": [
{
"introduced": "0.5.0"
},
{
"fixed": "0.5.13"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-32198"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": true,
"github_reviewed_at": "2025-04-25T15:12:44Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Impact\nA vulnerability has been identified in Steve where by default it was using an insecure option that did not validate the certificate presented by the remote server while performing a TLS connection. This could allow the execution of a man-in-the-middle (MitM) attack against services using Steve.\n\nFor example, Rancher relies on Steve as a dependency for its user interface (UI) to proxy requests to Kubernetes clusters. Users who have the permission to create a service in Rancher\u2019s local cluster can take over Rancher\u2019s UI and display their own UI to gather sensitive information. This is only possible when the setting `ui-offline-preferred` is manually set to `remote` (by default Rancher sets it to `dynamic`). This enables further attacks such as cross-site scripting (XSS), or tampering the UI to collect passwords from other users etc.\n\nPlease consult the associated [MITRE ATT\u0026CK - Technique - Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557/) for further information about this category of attack.\n\n### Patches\nPatched versions of Steve include releases `v0.2.1`, `v0.3.3`, `v0.4.4` and `v0.5.13`.\n\nThis vulnerability is addressed by changing Steve to always verify a server\u2019s certificate based on Go\u2019s TLS settings.\n\n### Workarounds\nIf you can\u0027t upgrade to a fixed version, please make sure that you are only using Steve to connect to trusted servers.\n\n### References\nIf you have any questions or comments about this advisory:\n- Reach out to the [SUSE Rancher Security team](https://github.com/rancher/rancher/security/policy) for security related inquiries.\n- Open an issue in the [Rancher](https://github.com/rancher/rancher/issues/new/choose) repository.\n- Verify with our [support matrix](https://www.suse.com/suse-rancher/support-matrix/all-supported-versions/) and [product support lifecycle](https://www.suse.com/lifecycle/).",
"id": "GHSA-95fc-g4gj-mqmx",
"modified": "2025-05-05T22:02:01Z",
"published": "2025-04-25T15:12:44Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/rancher/steve/security/advisories/GHSA-95fc-g4gj-mqmx"
},
{
"type": "PACKAGE",
"url": "https://github.com/rancher/steve"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2025-3648"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Steve doesn\u2019t verify a server\u2019s certificate and is susceptible to man-in-the-middle (MitM) attacks"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.