CVE-2025-23391Incorrect Privilege Assignment in Rancher

CWE-266Incorrect Privilege Assignment5 documents4 sources
Severity
9.1CRITICALNVD
EPSS
0.3%
top 42.91%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Suse RancherGithub.com Rancher Rancher
Timeline
PublishedApr 11

Description

A Incorrect Privilege Assignment vulnerability in SUSE rancher allows a Restricted Administrator to change the password of Administrators and take over their accounts. This issue affects rancher: from 2.8.0 before 2.8.14, from 2.9.0 before 2.9.8, from 2.10.0 before 2.10.4.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:HExploitability: 2.3 | Impact: 6.0

Affected Packages2 packages

CVEListV5suse/rancher2.8.02.8.14+2
Gogithub.com/rancher_rancher2.8.02.8.14+2

🔴Vulnerability Details

4
CVEList
Rancher: Restricted Administrator can change Administrator's passwords2025-04-11
OSV
Rancher: Restricted Administrator can change Administrator's passwords in github.com/rancher/rancher2025-04-02
OSV
Rancher: Restricted Administrator can change Administrator's passwords2025-04-01
GHSA
Rancher: Restricted Administrator can change Administrator's passwords2025-04-01
CVE-2025-23391 — Incorrect Privilege Assignment | cvebase