CVE-2020-10676

Name of the Vulnerable Software and Affected Versions Rancher versions 2.x through 2.6.12 Rancher versions 2.7.x through 2.7.3

Description An issue allows users with certain access to a namespace to move it to a different project, potentially gaining access to project-specific resources and causing availability issues due to quota limits. Users with roles such as Project Owner and Project Member on the source project, or custom roles with similar privileges, can exploit this. The issue is related to an incorrectly applied authorization check.

Recommendations For Rancher versions 2.x through 2.6.12, update to version 2.6.13 or later. For Rancher versions 2.7.x through 2.7.3, update to version 2.7.4 or later. As a temporary workaround, consider restricting access to namespace move operations to minimize the risk of exploitation.