CVE-2021-4200 — Improper Privilege Management in Rancher

CWE-269 — Improper Privilege Management CWE-285 — Improper Authorization4 documents4 sources

Severity

5.4MEDIUMNVD

EPSS

0.4%

top 42.44%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Suse Rancher Github.com Rancher Rancher

Timeline

PublishedMay 2

Description

A Improper Privilege Management vulnerability in SUSE Rancher allows write access to the Catalog for any user when restricted-admin role is enabled. This issue affects: SUSE Rancher Rancher versions prior to 2.5.13; Rancher versions prior to 2.6.4.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:LExploitability: 2.8 | Impact: 2.5

Affected Packages3 packages

▶CVEListV5suse/rancherRancher — 2.5.13+1

▶NVDsuse/rancher2.6.0 — 2.6.4+1

▶Gogithub.com/rancher_rancher2.6.0 — 2.6.4+1

🔴Vulnerability Details

GHSA

Write access to the catalog for any user when restricted-admin role is enabled in Rancher↗2022-05-02

▶

OSV

Write access to the catalog for any user when restricted-admin role is enabled in Rancher↗2022-05-02

▶

CVEList

Write access to the Catalog for any user when restricted-admin role is enabled↗2022-05-02

▶