CVE-2022-43759

Name of the Vulnerable Software and Affected Versions SUSE Rancher versions prior to 2.5.17 SUSE Rancher versions prior to 2.6.10

Description A Improper Privilege Management vulnerability in SUSE Rancher allows users with access to the escalate verb on PRTBs to escalate permissions for any -promoted resource in any cluster. This issue affects users with access to the escalate verb on PRTBs, including users with * verbs on PRTBs. The vulnerability can be exploited by users without the mentioned permissions if a role template with access to those objects was already created by another user in the cluster.

The following resources are affected:

Recommendations For SUSE Rancher versions prior to 2.5.17, update to version 2.5.17 or later. For SUSE Rancher versions prior to 2.6.10, update to version 2.6.10 or later. As a temporary workaround, consider restricting access to the projectroletemplatebindings resource and minimizing the creation of custom roles that contain the escalate, * or write verbs on projectroletemplatebindings resource. Only grant Project Owner and Manage Project Members roles to trusted users. Minimize the number of users that have permissions to create, patch and update roletemplates.