CVE-2021-36775

Name of the Vulnerable Software and Affected Versions SUSE Rancher versions prior to 2.4.18 SUSE Rancher versions prior to 2.5.12 SUSE Rancher versions prior to 2.6.3

Description An Improper Access Control issue in SUSE Rancher allows users to retain privileges that should have been revoked. This occurs due to an incomplete authorization logic check when removing a Project Role associated with a group from a project, resulting in the bindings that grant access to cluster-scoped resources not being deleted. A user who is a member of an affected group with authenticated access to Rancher could exploit this to access resources they should no longer have access to. The exposure level depends on the original permission level granted to the affected project role.

Recommendations For SUSE Rancher versions prior to 2.4.18, update to version 2.4.18 or later. For SUSE Rancher versions prior to 2.5.12, update to version 2.5.12 or later. For SUSE Rancher versions prior to 2.6.3, update to version 2.6.3 or later. As a temporary workaround, limit access in Rancher to trusted users.