CVE-2021-36776

Name of the Vulnerable Software and Affected Versions SUSE Rancher versions prior to 2.5.10

Description A Improper Access Control issue allows remote attackers to impersonate arbitrary users. This is due to the Steve API proxy not dropping the impersonation header before sending the request to the Kubernetes API, allowing an authenticated user to impersonate any user on a cluster. A malicious user with authenticated access could use this to impersonate another user with administrator access, receiving administrator level access in the cluster.

Recommendations For versions prior to 2.5.10, upgrade to release 2.5.10, 2.6.0, or later versions to resolve the issue. As a temporary workaround, limit access in SUSE Rancher to trusted users.