CVE-2021-25318
published 2021-07-15CVE-2021-25318: A Incorrect Permission Assignment for Critical Resource vulnerability in Rancher allows users in the cluster to modify resources they should not have access…
PriorityP351high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
1.05%
60.0th percentile
A Incorrect Permission Assignment for Critical Resource vulnerability in Rancher allows users in the cluster to modify resources they should not have access to. This issue affects: Rancher versions prior to 2.5.9 ; Rancher versions prior to 2.4.16.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | rancher_rancher | >= 2.0.0 < 2.4.16 | 2.4.16 |
| github.com | rancher_rancher | >= 2.0.0+incompatible | — |
| github.com | rancher_rancher | >= 2.5.0 < 2.5.9 | 2.5.9 |
| rancher | rancher | < 2.4.16 | 2.4.16 |
| rancher | rancher | >= 2.5.0 < 2.5.9 | 2.5.9 |
| rancher | rancher | >= Rancher < 2.5.9 | 2.5.9 |
| rancher | rancher | >= Rancher < 2.4.16 | 2.4.16 |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Rancher does not properly specify ApiGroup when creating Kubernetes RBAC resources in github.com/rancher/rancher
osv·2024-06-10
CVE-2021-25318 Rancher does not properly specify ApiGroup when creating Kubernetes RBAC resources in github.com/rancher/rancher
Rancher does not properly specify ApiGroup when creating Kubernetes RBAC resources in github.com/rancher/rancher
Rancher does not properly specify ApiGroup when creating Kubernetes RBAC resources in github.com/rancher/rancher.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.
(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)
The additional affected modules and versions are: github.com/rancher/rancher before v2.4.16, from v2.5.0 before v2.5.9.
OSV
Rancher does not properly specify ApiGroup when creating Kubernetes RBAC resources
osv·2024-04-24
CVE-2021-25318 [HIGH] Rancher does not properly specify ApiGroup when creating Kubernetes RBAC resources
Rancher does not properly specify ApiGroup when creating Kubernetes RBAC resources
A vulnerability was discovered in Rancher versions 2.0 through the aforementioned fixed versions, where users were granted access to resources regardless of the resource's API group. For example Rancher should have allowed users access to `apps.catalog.cattle.io`, but instead incorrectly gave access to `apps.*`. Resource affected include:
**Downstream clusters:**
apiservices
clusters
clusterrepos
persistentvolumes
storageclasses
**Rancher management cluster**
apprevisions
apps
catalogtemplates
catalogtemplateversions
clusteralertgroups
clusteralertrules
clustercatalogs
clusterloggings
clustermonitorgraphs
clusterregistrationtokens
clusterroletemplatebindings
clusterscans
etcdbackups
nodepools
nodes
notifi
GHSA
Rancher does not properly specify ApiGroup when creating Kubernetes RBAC resources
ghsa·2024-04-24
CVE-2021-25318 [HIGH] CWE-732 Rancher does not properly specify ApiGroup when creating Kubernetes RBAC resources
Rancher does not properly specify ApiGroup when creating Kubernetes RBAC resources
A vulnerability was discovered in Rancher versions 2.0 through the aforementioned fixed versions, where users were granted access to resources regardless of the resource's API group. For example Rancher should have allowed users access to `apps.catalog.cattle.io`, but instead incorrectly gave access to `apps.*`. Resource affected include:
**Downstream clusters:**
apiservices
clusters
clusterrepos
persistentvolumes
storageclasses
**Rancher management cluster**
apprevisions
apps
catalogtemplates
catalogtemplateversions
clusteralertgroups
clusteralertrules
clustercatalogs
clusterloggings
clustermonitorgraphs
clusterregistrationtokens
clusterroletemplatebindings
clusterscans
etcdbackups
nodepools
nodes
notifi
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2021-07-15
Published