CVE-2024-22031
published 2025-04-25CVE-2024-22031: Rancher users who can create Projects can gain access to arbitrary projects ### Impact A vulnerability has been identified within Rancher where a user with the…
high
Rancher users who can create Projects can gain access to arbitrary projects ### Impact A vulnerability has been identified within Rancher where a user with the ability to create a project, on a certain cluster, can create a project with the same name as an existing project in a different cluster. This results in the user gaining access to the other project in the different cluster, resulting in a privilege escalation. This happens because the namespace used on the local cluster to store related resources (PRTBs and secrets) is the name of the project. Please consult the associated [MITRE ATT&CK - Technique - Privilege Escalation](https://attack.mitre.org/tactics/TA0004/) for further information about this category of attack. ### Patches Patched versions include releases `v2.11.1`, `v2.10.5`, `v2.9.9`. The fix involves the following changes: **Rancher:** - Instead of using the project name as the namespace, Rancher will instead be using a new field on the project spec called backingNamespace. If that field exists, use that for the project namespace going forward. However, if the project does not have that field filled out (likely because it existed before this change), Rancher will continue using the name for the namespace. **Rancher Webhook:** - New mutation on create `project.Status.BackingNamespace` to be `SafeConcatName(project.Spec.ClusterName, project.Name)`; - Generate the name manually within the mutating webhook, because normally, name generation happens after the mutating webhooks; - Removed a validation where `projectName` and `Namespace` had to be the same for PRTBs, since PRTBs now go in `project.BackingNamespace`; - On update, if `BackingNamespace` isn't set, set it to `project.Name`. For existing objects after update this will help unify them to the new projects. - The `BackingNamespace` can't be edited after it's set. **Note: Rancher v2.8 release line does not have the fix for this CVE. The fix for v2.8 was considered too complex and with the r
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | rancher_rancher | >= 2.10.0 < 2.10.5 | 2.10.5 |
| github.com | rancher_rancher | >= 2.11.0 < 2.11.1 | 2.11.1 |
| github.com | rancher_rancher | >= 2.8.0 < 2.9.9 | 2.9.9 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Rancher users who can create Projects can gain access to arbitrary projects in github.com/rancher/rancher
osv·2025-05-05
CVE-2024-22031 Rancher users who can create Projects can gain access to arbitrary projects in github.com/rancher/rancher
Rancher users who can create Projects can gain access to arbitrary projects in github.com/rancher/rancher
Rancher users who can create Projects can gain access to arbitrary projects in github.com/rancher/rancher.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.
(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)
The additional affected modules and versions are: github.com/rancher/rancher from v2.8.0 before v2.9.9, from v2.10.0 before v2.10.5, from v2.11.0 before v2.11.1.
GHSA
Rancher users who can create Projects can gain access to arbitrary projects
ghsa·2025-04-25
CVE-2024-22031 [HIGH] CWE-863 Rancher users who can create Projects can gain access to arbitrary projects
Rancher users who can create Projects can gain access to arbitrary projects
### Impact
A vulnerability has been identified within Rancher where a user with the ability to create a project, on a certain cluster, can create a project with the same name as an existing project in a different cluster. This results in the user gaining access to the other project in the different cluster, resulting in a privilege escalation. This happens because the namespace used on the local cluster to store related resources (PRTBs and secrets) is the name of the project.
Please consult the associated [MITRE ATT&CK - Technique - Privilege Escalation](https://attack.mitre.org/tactics/TA0004/) for further information about this category of attack.
### Patches
Patched versions include releases `v2.11.1`, `v2.1
OSV
Rancher users who can create Projects can gain access to arbitrary projects
osv·2025-04-25
CVE-2024-22031 [HIGH] Rancher users who can create Projects can gain access to arbitrary projects
Rancher users who can create Projects can gain access to arbitrary projects
### Impact
A vulnerability has been identified within Rancher where a user with the ability to create a project, on a certain cluster, can create a project with the same name as an existing project in a different cluster. This results in the user gaining access to the other project in the different cluster, resulting in a privilege escalation. This happens because the namespace used on the local cluster to store related resources (PRTBs and secrets) is the name of the project.
Please consult the associated [MITRE ATT&CK - Technique - Privilege Escalation](https://attack.mitre.org/tactics/TA0004/) for further information about this category of attack.
### Patches
Patched versions include releases `v2.11.1`, `v2.1
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-04-25
Published