Rancher Manager Username Update Vulnerability Leading to Access Denial

A vulnerability exists in Rancher Manager versions 2.9.0 prior to 2.9.12, 2.10.0 prior to 2.10.10, 2.11.0 prior to 2.11.6, and 2.12.0 prior to 2.12.2. The issue arises from a lack of server-side validation on the '.username' field, allowing users with update permissions on User resources to disrupt access for targeted accounts. This can be achieved by changing a username to 'admin', locking out both the original admin and the affected user, or by altering the username of an admin account, thereby blocking access to the Rancher UI.

Impact

Exploitation of this vulnerability can lead to unauthorized username changes, causing account lockouts. This disrupts access for users, particularly administrators, who may be locked out of the Rancher UI.

Remediation

Users can upgrade to Rancher versions 2.12.2, 2.11.6, 2.10.10, or 2.9.12. If an upgrade is not possible, it is recommended to restrict update permissions on user resources to trusted individuals.