CVE-2021-25318

Name of the Vulnerable Software and Affected Versions Rancher versions prior to 2.5.9 Rancher versions prior to 2.4.16

Description A vulnerability in Rancher allows users in the cluster to modify resources they should not have access to due to incorrect permission assignment. This issue can be exploited by a remote attacker to change resources in the cluster. The affected resources include various components of downstream clusters and the Rancher management cluster, such as apservices, clusters, and projects.

Recommendations For Rancher versions prior to 2.5.9, upgrade to version 2.5.9 or later. For Rancher versions prior to 2.4.16, upgrade to version 2.4.16 or later. As a temporary workaround, consider restricting access to sensitive resources until a patch is applied. Avoid using the vulnerable apps.* API group in the affected API endpoints until the issue is resolved. Restrict access to the vulnerable modules, such as github.com/rancher/rancher, to minimize the risk of exploitation.