CVE-2024-22031 — Incorrect Authorization in Rancher Rancher

CWE-863 — Incorrect Authorization3 documents2 sources

Severity

—HIGH

No vector

EPSS

No EPSS data

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Rancher Rancher

Timeline

PublishedApr 25

Latest updateMay 5

Description

Rancher users who can create Projects can gain access to arbitrary projects ### Impact A vulnerability has been identified within Rancher where a user with the ability to create a project, on a certain cluster, can create a project with the same name as an existing project in a different cluster. This results in the user gaining access to the other project in the different cluster, resulting in a privilege escalation. This happens because the namespace used on the local cluster to store related…

Affected Packages1 packages

▶Gogithub.com/rancher_rancher2.8.0 — 2.9.9+2

🔴Vulnerability Details

OSV

Rancher users who can create Projects can gain access to arbitrary projects in github.com/rancher/rancher↗2025-05-05

▶

GHSA

Rancher users who can create Projects can gain access to arbitrary projects↗2025-04-25

▶

OSV

Rancher users who can create Projects can gain access to arbitrary projects↗2025-04-25

▶