CVE-2023-32199Improper Preservation of Permissions in Rancher

CWE-281Improper Preservation of Permissions5 documents4 sources
Severity
4.3MEDIUMNVD
EPSS
0.0%
top 99.01%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Suse RancherGithub.com Rancher Rancher
Timeline
PublishedOct 29
Latest updateOct 30

Description

A vulnerability has been identified within Rancher Manager, where after removing a custom GlobalRole that gives administrative access or the corresponding binding, the user still retains access to clusters. This only affects custom Global Roles that have a * on * in * rule for resources or have a * on * rule for non-resource URLs

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:LExploitability: 0.9 | Impact: 3.4

Affected Packages2 packages

CVEListV5suse/rancher< 0.0.0-20251014212116-7faa74a968c2
Gogithub.com/rancher_rancher< 0.0.0-20251014212116-7faa74a968c2

🔴Vulnerability Details

4
OSV
Rancher user retains access to clusters despite Global Role removal in github.com/rancher/rancher2025-10-30
CVEList
Rancher user retains access to clusters despite Global Role removal2025-10-29
OSV
Rancher user retains access to clusters despite Global Role removal2025-10-24
GHSA
Rancher user retains access to clusters despite Global Role removal2025-10-24
CVE-2023-32199 — Improper Preservation of Permissions | cvebase