Rmweir

**Name of the Vulnerable Software and Affected Versions** SUSE Rancher versions prior to 2.6.4 Rancher versions prior to 2.5.13 **Description** A vulnerability in SUSE Rancher allows authenticated users, including Cluster Owners, Cluster Members, Project Owners, and Project Members, to read credentials, passwords, and API tokens stored in cleartext and exposed via API endpoints. This issue is related to the storage of passwords in an unencrypted form, which can be exploited by a remote attacker to gain access to account credentials, passwords, and API tokens. **Recommendations** For SUSE Rancher versions prior to 2.6.4, update to version 2.6.4 or later to resolve the issue. For Rancher versions prior to 2.5.13, update to version 2.5.13 or later to resolve the issue. As a temporary workaround, consider restricting access to API endpoints that expose sensitive information until a patch is available.

**Name of the Vulnerable Software and Affected Versions** SUSE Rancher versions prior to 2.6.7 SUSE Rancher versions prior to 2.5.16 **Description** The issue is related to an Improper Authorization vulnerability in SUSE Rancher. It allows any user with permissions to create or edit cluster role template bindings or project role template bindings, such as cluster-owner or project-owner, to gain owner permission in another project within the same cluster or in a different project on a downstream cluster. This can potentially lead to privilege escalation. **Recommendations** For versions prior to 2.6.7, update to version 2.6.7 or later. For versions prior to 2.5.16, update to version 2.5.16 or later.