Andy Pitcher

**Name of the Vulnerable Software and Affected Versions** Rancher versions 2.8.0 through 2.8.12 Rancher versions 2.9.0 through 2.9.6 Rancher versions 2.10.0 through 2.10.2 **Description** A vulnerability in Rancher allows local user impersonation through SAML Authentication on first login. The issue occurs when a SAML authentication provider is configured, and a newly created user can impersonate any user on Rancher by manipulating cookie values during their initial login. This vulnerability could also be exploited if a Rancher user is removed. Rancher validates only a subset of input from the SAML assertion request and trusts values that are not properly validated, allowing an attacker to configure the `saml Rancher UserID` cookie and the `saml Rancher Action` cookie to add the user principal from the authentication provider to the user specified by the attacker. **Recommendations** For versions 2.8.0 through 2.8.12, update to version 2.8.13 or later. For versions 2.9.0 through 2.9.6, update to version 2.9.7 or later. For versions 2.10.0 through 2.10.2, update to version 2.10.3 or later. As a temporary workaround for deployments that cannot upgrade, consider disabling the SAML-based authentication provider to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Rancher versions 2.6.0 through 2.6.13 Rancher versions 2.7.0 through 2.7.9 Rancher versions 2.8.0 through 2.8.1 **Description** A vulnerability has been identified when granting a create or * global role for a resource type of "namespaces". This can lead to someone being capable of accessing, creating, updating, or deleting a namespace in the project. The subject will receive * permissions for core namespaces, regardless of the API group. This can result in leakage of secrets and abuse of resource quotas. **Recommendations** For Rancher versions 2.6.0 through 2.6.13, update to version 2.6.14. For Rancher versions 2.7.0 through 2.7.9, update to version 2.7.10. For Rancher versions 2.8.0 through 2.8.1, update to version 2.8.2. As a temporary workaround, consider restricting the use of global roles for resource type "namespaces" until a patch is available. Avoid granting create or * global roles for "namespaces" to minimize the risk of exploitation.