CVE-2021-36784

Name of the Vulnerable Software and Affected Versions SUSE Rancher versions prior to 2.5.13 SUSE Rancher versions prior to 2.6.4

Description A Improper Privilege Management issue in SUSE Rancher allows users with the restricted-admin role to escalate to full admin. This affects customers who utilize non-admin users that are able to create or edit Global Roles. The vulnerability can be exploited by users with create or update permissions on Global Roles, allowing them to escalate their permissions or those of another user to admin-level permissions.

Recommendations For SUSE Rancher versions prior to 2.5.13, update to version 2.5.13 or later. For SUSE Rancher versions prior to 2.6.4, update to version 2.6.4 or later. As a temporary workaround, limit access in Rancher to trusted users. Review the roles and users created by non-admin users with create or edit permissions on Global Roles for possible privilege escalations.