CVE-2021-36775
published 2022-04-04CVE-2021-36775: a Improper Access Control vulnerability in SUSE Rancher allows users to keep privileges that should have been revoked. This issue affects: SUSE Rancher Rancher…
PriorityP351high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.93%
56.2th percentile
a Improper Access Control vulnerability in SUSE Rancher allows users to keep privileges that should have been revoked. This issue affects: SUSE Rancher Rancher versions prior to 2.4.18; Rancher versions prior to 2.5.12; Rancher versions prior to 2.6.3.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | rancher_rancher | >= 0 < 2.4.18 | 2.4.18 |
| github.com | rancher_rancher | >= 2.5.0 < 2.5.12 | 2.5.12 |
| github.com | rancher_rancher | >= 2.6.0 < 2.6.3 | 2.6.3 |
| rancher | rancher | < 2.4.18 | 2.4.18 |
| rancher | rancher | >= 2.5.0 < 2.5.12 | 2.5.12 |
| rancher | rancher | >= 2.6.0 < 2.6.3 | 2.6.3 |
| suse | rancher | >= Rancher < 2.4.18 | 2.4.18 |
| suse | rancher | >= Rancher < 2.5.12 | 2.5.12 |
| suse | rancher | >= Rancher < 2.6.3 | 2.6.3 |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Rancher's Failure to delete orphaned role bindings does not revoke project level access from group based authentication in github.com/rancher/rancher
osv·2024-06-05
CVE-2021-36775 Rancher's Failure to delete orphaned role bindings does not revoke project level access from group based authentication in github.com/rancher/rancher
Rancher's Failure to delete orphaned role bindings does not revoke project level access from group based authentication in github.com/rancher/rancher
Rancher's Failure to delete orphaned role bindings does not revoke project level access from group based authentication in github.com/rancher/rancher.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.
(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)
The additional affected modules and versions are: github.com/rancher/rancher before v2.4.18, from v2.5.0 before v2.5.12, from v2.6.0 before v2.6.3.
GHSA
Rancher's Failure to delete orphaned role bindings does not revoke project level access from group based authentication
ghsa·2024-04-24
CVE-2021-36775 [HIGH] CWE-284 Rancher's Failure to delete orphaned role bindings does not revoke project level access from group based authentication
Rancher's Failure to delete orphaned role bindings does not revoke project level access from group based authentication
### Impact
This vulnerability only affects customers using group based authentication in Rancher versions up to and including 2.4.17, 2.5.11 and 2.6.2.
When removing a Project Role associated to a group from a project, the bindings that grant access to cluster scoped resources for those subjects do not get deleted. This happens due to an incomplete authorization logic check. A user who is a member of an affected group with authenticated access to Rancher could use this to access resources they should no longer have access to. The exposure level will depend on the original permission level granted to the affected project role.
### Patches
Patched versions include releas
OSV
Rancher's Failure to delete orphaned role bindings does not revoke project level access from group based authentication
osv·2024-04-24
CVE-2021-36775 [HIGH] Rancher's Failure to delete orphaned role bindings does not revoke project level access from group based authentication
Rancher's Failure to delete orphaned role bindings does not revoke project level access from group based authentication
### Impact
This vulnerability only affects customers using group based authentication in Rancher versions up to and including 2.4.17, 2.5.11 and 2.6.2.
When removing a Project Role associated to a group from a project, the bindings that grant access to cluster scoped resources for those subjects do not get deleted. This happens due to an incomplete authorization logic check. A user who is a member of an affected group with authenticated access to Rancher could use this to access resources they should no longer have access to. The exposure level will depend on the original permission level granted to the affected project role.
### Patches
Patched versions include releas
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2022-04-04
Published