CVE-2022-31247Improper Authorization in Rancher

CWE-285Improper AuthorizationCWE-863Incorrect Authorization4 documents4 sources
Severity
9.1CRITICALNVD
EPSS
0.3%
top 42.86%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Suse RancherGithub.com Rancher Rancher
Timeline
PublishedSep 7
Latest updateMar 3

Description

An Improper Authorization vulnerability in SUSE Rancher, allows any user who has permissions to create/edit cluster role template bindings or project role template bindings (such as cluster-owner, manage cluster members, project-owner and manage project members) to gain owner permission in another project in the same cluster or in another project on a different downstream cluster. This issue affects: SUSE Rancher Rancher versions prior to 2.6.7; Rancher versions prior to 2.5.16.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:HExploitability: 2.3 | Impact: 6.0

Affected Packages3 packages

CVEListV5suse/rancherRancher2.6.7+1
NVDsuse/rancher2.5.02.5.16+1
Gogithub.com/rancher_rancher2.5.02.5.16+1

🔴Vulnerability Details

3
GHSA
Rancher has downstream cluster privilege escalation through cluster and project role template binding (CRTB/PRTB)2026-03-03
OSV
Rancher has downstream cluster privilege escalation through cluster and project role template binding (CRTB/PRTB)2026-03-03
CVEList
Rancher: Downstream cluster privilege escalation through cluster and project role template binding (CRTB/PRTB)2022-09-07
CVE-2022-31247 — Improper Authorization in Suse Rancher | cvebase