CVE-2023-32194 — Improper Privilege Management in Rancher

CWE-269 — Improper Privilege Management5 documents4 sources

Severity

8.6HIGHNVD

EPSS

0.1%

top 68.63%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Suse Rancher Github.com Rancher Rancher

Timeline

PublishedOct 16

Description

A vulnerability has been identified when granting a create or * global role for a resource type of "namespaces"; no matter the API group, the subject will receive * permissions for core namespaces. This can lead to someone being capable of accessing, creating, updating, or deleting a namespace in the project.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Packages2 packages

▶CVEListV5suse/rancher2.6.0 — 2.6.14+2

▶Gogithub.com/rancher_rancher2.6.0 — 2.6.14+2

🔴Vulnerability Details

CVEList

Rancher permissions on 'namespaces' in any API group grants 'edit' permissions on namespaces in 'core'↗2024-10-16

▶

OSV

Rancher permissions on 'namespaces' in any API group grants 'edit' permissions on namespaces in 'core' in github.com/rancher/rancher↗2024-06-28

▶

OSV

Rancher permissions on 'namespaces' in any API group grants 'edit' permissions on namespaces in 'core'↗2024-02-08

▶

GHSA

Rancher permissions on 'namespaces' in any API group grants 'edit' permissions on namespaces in 'core'↗2024-02-08

▶