CVE-2020-10676
published 2023-12-12CVE-2020-10676: In Rancher 2.x before 2.6.13 and 2.7.x before 2.7.4, an incorrectly applied authorization check allows users who have certain access to a namespace to move…
PriorityP351high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
1.03%
59.3th percentile
In Rancher 2.x before 2.6.13 and 2.7.x before 2.7.4, an incorrectly applied authorization check allows users who have certain access to a namespace to move that namespace to a different project.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | rancher_rancher | >= 2.6.0 < 2.6.13 | 2.6.13 |
| github.com | rancher_rancher | >= 2.7.0 < 2.7.4 | 2.7.4 |
| suse | rancher | >= 2.0.0 < 2.6.13 | 2.6.13 |
| suse | rancher | >= 2.7.0 < 2.7.4 | 2.7.4 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Rancher users retain access after moving namespaces into projects they don't have access to
ghsa·2023-06-06
CVE-2020-10676 [HIGH] CWE-863 Rancher users retain access after moving namespaces into projects they don't have access to
Rancher users retain access after moving namespaces into projects they don't have access to
### Impact
A vulnerability was identified in which users with update privileges on a namespace, can move that namespace into a project they don't have access to. After the namespace transfer is completed, their previous permissions are still preserved, which enables them to gain access to project-specific resources (such as [project secrets](https://ranchermanager.docs.rancher.com/how-to-guides/new-user-guides/kubernetes-resources-setup/secrets#creating-secrets-in-projects)). In addition, resources in the namespace will now count toward the [quota limit](https://ranchermanager.docs.rancher.com/how-to-guides/advanced-user-guides/manage-projects/manage-project-resource-quotas/about-project-resource-q
OSV
Rancher users retain access after moving namespaces into projects they don't have access to
osv·2023-06-06
CVE-2020-10676 [HIGH] Rancher users retain access after moving namespaces into projects they don't have access to
Rancher users retain access after moving namespaces into projects they don't have access to
### Impact
A vulnerability was identified in which users with update privileges on a namespace, can move that namespace into a project they don't have access to. After the namespace transfer is completed, their previous permissions are still preserved, which enables them to gain access to project-specific resources (such as [project secrets](https://ranchermanager.docs.rancher.com/how-to-guides/new-user-guides/kubernetes-resources-setup/secrets#creating-secrets-in-projects)). In addition, resources in the namespace will now count toward the [quota limit](https://ranchermanager.docs.rancher.com/how-to-guides/advanced-user-guides/manage-projects/manage-project-resource-quotas/about-project-resource-q
No detection rules found.
No public exploits indexed.
https://forums.rancher.com/c/announcementshttps://github.com/advisories/GHSA-8vhc-hwhc-cpj4https://github.com/rancher/rancher/releases/tag/v2.6.13https://github.com/rancher/rancher/releases/tag/v2.7.4https://forums.rancher.com/c/announcementshttps://github.com/advisories/GHSA-8vhc-hwhc-cpj4https://github.com/rancher/rancher/releases/tag/v2.6.13https://github.com/rancher/rancher/releases/tag/v2.7.4
2023-12-12
Published