CVE-2023-22651 — Improper Privilege Management in Rancher Rancher

CWE-269 — Improper Privilege Management CWE-276 — Incorrect Default Permissions4 documents4 sources

Severity

9.9CRITICALNVD

EPSS

0.4%

top 39.90%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Rancher Rancher Suse Rancher

Timeline

PublishedMay 4

Description

Improper Privilege Management vulnerability in SUSE Rancher allows Privilege Escalation. A failure in the update logic of Rancher's admission Webhook may lead to the misconfiguration of the Webhook. This component enforces validation rules and security checks before resources are admitted into the Kubernetes cluster. The issue only affects users that upgrade from 2.6.x or 2.7.x to 2.7.2. Users that did a fresh install of 2.7.2 (and did not follow an upgrade path) are not affected.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HExploitability: 3.1 | Impact: 6.0

Affected Packages3 packages

▶CVEListV5suse/rancher2.6.0 — 2.7.2

▶NVDsuse/rancher2.6.0 — 2.7.2

▶Gogithub.com/rancher_rancher2.7.2 — 2.7.3+1

🔴Vulnerability Details

CVEList

CVE-2023-22651: Improper Privilege Management vulnerability in SUSE Rancher allows Privilege Escalation↗2023-05-04

▶

GHSA

Rancher Webhook is misconfigured during upgrade process↗2023-04-24

▶

OSV

Rancher Webhook is misconfigured during upgrade process↗2023-04-24

▶