Github.Com Rancher Rancher vulnerabilities

CVE-2023-32197 [CRITICAL] CWE-269 Rancher allows privilege escalation in Windows nodes due to Insecure Access Control Lists Rancher allows privilege escalation in Windows nodes due to Insecure Access Control Lists ### Impact A vulnerability has been identified whereby Rancher Manager deployments containing Windows nodes have weak Access Control Lists (ACL), allowing `BUILTIN\Users` or `NT AUTHORITY\Authenticated Users` to view or edit sensitive files which could lead to privilege escalation.

CVE-2022-45157 [HIGH] CWE-522 Exposure of vSphere's CPI and CSI credentials in Rancher Exposure of vSphere's CPI and CSI credentials in Rancher ### Impact A vulnerability has been identified in the way that Rancher stores vSphere's CPI (Cloud Provider Interface) and CSI (Container Storage Interface) credentials used to deploy clusters through the vSphere cloud provider. This issue leads to the vSphere CPI and CSI passwords being stored in a plaintext object inside Rancher. This vulnerability i

CVE-2024-22030 [HIGH] CWE-295 Rancher agents can be hijacked by taking over the Rancher Server URL Rancher agents can be hijacked by taking over the Rancher Server URL ### Impact A vulnerability has been identified within Rancher that can be exploited in narrow circumstances through a man-in-the-middle (MITM) attack. An attacker would need to have control of an expired domain or execute a DNS spoofing/hijacking attack against the domain to exploit this vulnerability. The targeted domain is the

CVE-2024-22032 [HIGH] CWE-200 Rancher's RKE1 Encryption Config kept in plain-text within cluster AppliedSpec Rancher's RKE1 Encryption Config kept in plain-text within cluster AppliedSpec ### Impact This issue is only relevant to clusters provisioned using RKE1 with secrets encryption configuration enabled. A vulnerability has been identified in which an RKE1 cluster keeps constantly reconciling when secrets encryption configuration is enabled (please see the [RKE documentation](https://rke.do

CVE-2023-32196 [HIGH] CWE-269 Rancher's External RoleTemplates can lead to privilege escalation Rancher's External RoleTemplates can lead to privilege escalation ### Impact A vulnerability has been identified whereby privilege escalation checks are not properly enforced for `RoleTemplate`objects when external=true, which in specific scenarios can lead to privilege escalation. The bug in the webhook rule resolver ignores rules from a `ClusterRole` for external `RoleTemplates` when its context i

CVE-2023-22650 [HIGH] CWE-287 Rancher does not automatically clean up a user deleted or disabled from the configured Authentication Provider Rancher does not automatically clean up a user deleted or disabled from the configured Authentication Provider ### Impact A vulnerability has been identified in which Rancher does not automatically clean up a user which has been deleted from the configured authentication provider (AP). This characteristic also applies to disabled or revoked users, Rancher

CVE-2021-36776 [HIGH] CWE-284 Rancher's Steve API Component Improper authorization check allows privilege escalation Rancher's Steve API Component Improper authorization check allows privilege escalation ### Impact A flaw discovered in Rancher versions from 2.5.0 up to and including 2.5.9 allows an authenticated user to impersonate any user on a cluster through the Steve API proxy, without requiring knowledge of the impersonated user's credentials. This is due to the Steve API proxy not droppi

CVE-2021-25318 [HIGH] CWE-732 Rancher does not properly specify ApiGroup when creating Kubernetes RBAC resources Rancher does not properly specify ApiGroup when creating Kubernetes RBAC resources A vulnerability was discovered in Rancher versions 2.0 through the aforementioned fixed versions, where users were granted access to resources regardless of the resource's API group. For example Rancher should have allowed users access to `apps.catalog.cattle.io`, but instead incorrectly gave access to

CVE-2021-31999 [HIGH] CWE-807 Rancher Privilege escalation vulnerability via malicious "Connection" header Rancher Privilege escalation vulnerability via malicious "Connection" header A vulnerability was discovered in Rancher 2.0.0 through the aforementioned patched versions, where a malicious Rancher user could craft an API request directed at the proxy for the Kubernetes API of a managed cluster to gain access to information they do not have access to. This is done by passing the "Impersonate

CVE-2021-36775 [HIGH] CWE-284 Rancher's Failure to delete orphaned role bindings does not revoke project level access from group based authentication Rancher's Failure to delete orphaned role bindings does not revoke project level access from group based authentication ### Impact This vulnerability only affects customers using group based authentication in Rancher versions up to and including 2.4.17, 2.5.11 and 2.6.2. When removing a Project Role associated to a group from a project, the bindi

CVE-2023-22649 [HIGH] CWE-532 Rancher 'Audit Log' leaks sensitive information Rancher 'Audit Log' leaks sensitive information ### Impact A vulnerability has been identified which may lead to sensitive data being leaked into Rancher's audit logs. [Rancher Audit Logging](https://ranchermanager.docs.rancher.com/how-to-guides/advanced-user-guides/enable-api-audit-log) is an opt-in feature, only deployments that have it enabled and have [AUDIT_LEVEL](https://ranchermanager.docs.rancher.com/how-to-g

CVE-2023-32194 [HIGH] CWE-269 Rancher permissions on 'namespaces' in any API group grants 'edit' permissions on namespaces in 'core' Rancher permissions on 'namespaces' in any API group grants 'edit' permissions on namespaces in 'core' ### Impact A vulnerability has been identified when granting a `create` or `*` **global role** for a resource type of "namespaces"; no matter the API group, the subject will receive `*` permissions for core namespaces. This can lead to someone being capable of ac

CVE-2023-22647 [CRITICAL] CWE-267 Rancher vulnerable to Privilege Escalation via manipulation of Secrets Rancher vulnerable to Privilege Escalation via manipulation of Secrets ### Impact A vulnerability has been identified which enables [Standard users](https://ranchermanager.docs.rancher.com/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/manage-role-based-access-control-rbac/global-permissions) or above to elevate their permissions to Administrator in the `l

CVE-2020-10676 [HIGH] CWE-863 Rancher users retain access after moving namespaces into projects they don't have access to Rancher users retain access after moving namespaces into projects they don't have access to ### Impact A vulnerability was identified in which users with update privileges on a namespace, can move that namespace into a project they don't have access to. After the namespace transfer is completed, their previous permissions are still preserved, which enables them to gain acces

CVE-2022-43760 [MEDIUM] CWE-79 Rancher UI has multiple Cross-Site Scripting (XSS) issues Rancher UI has multiple Cross-Site Scripting (XSS) issues ### Impact Multiple Cross-Site Scripting (XSS) vulnerabilities have been identified in the Rancher UI. Cross-Site scripting allows a malicious user to inject code that is executed within another user's browser, allowing the attacker to steal sensitive information, manipulate web content, or perform other malicious activities on behalf of the victims.

CVE-2023-22651 [CRITICAL] CWE-269 Rancher Webhook is misconfigured during upgrade process Rancher Webhook is misconfigured during upgrade process ### Impact A failure in the update logic of Rancher's admission Webhook may lead to the misconfiguration of the Webhook. This component enforces validation rules and security checks before resources are admitted into the Kubernetes cluster. When the Webhook is operating in a degraded state, it no longer validates any resources, which may result in s

CVE-2022-43757 [CRITICAL] CWE-200 Plaintext storage of sensitive data in Rancher API and cluster.management.cattle.io objects Plaintext storage of sensitive data in Rancher API and cluster.management.cattle.io objects ### Impact This issue affects Rancher versions from 2.5.0 up to and including 2.5.16, from 2.6.0 up to and including 2.6.9 and 2.7.0. It was discovered that the security advisory CVE-2021-36782 (GHSA-g7j7-h4q8-8w2f), previously released by Rancher, missed addressing some sensitiv

CVE-2022-43755 [CRITICAL] CWE-330 Rancher cattle-token is predictable Rancher cattle-token is predictable ### Impact An issue was discovered in Rancher versions up to and including 2.6.9 and 2.7.0, where the `cattle-token` secret, used by the `cattle-cluster-agent`, is predictable. Even after the token is regenerated, it will have the same value. This issue is not present in Rancher 2.5 releases. The `cattle-token` is used by Rancher's `cattle-cluster-agent` to connect to the Kubernetes API o

CVE-2022-21953 [HIGH] CWE-284 Authenticated user can gain unauthorized shell pod and kubectl access in the local cluster Authenticated user can gain unauthorized shell pod and kubectl access in the local cluster ### Impact An issue was discovered in Rancher where an authorization logic flaw allows an authenticated user on any downstream cluster to (1) open a shell pod in the Rancher `local` cluster and (2) have limited `kubectl` access to it. The expected behavior is that a user does not have

CVE-2022-43759 [HIGH] CWE-269 Privilege escalation in project role template binding (PRTB) and -promoted roles Privilege escalation in project role template binding (PRTB) and -promoted roles ### Impact An issue was discovered in Rancher versions from 2.5.0 up to and including 2.5.16 and from 2.6.0 up to and including 2.6.9, where an authorization logic flaw allows privilege escalation via project role template binding (PRTB) and `-promoted` roles. This issue is not present in Rancher 2.7 rele