CVE-2023-22648

Name of the Vulnerable Software and Affected Versions SUSE Rancher versions 2.6.7 through 2.6.12 SUSE Rancher versions 2.7.0 through 2.7.3

Description The issue is related to improper privilege management, where changes in Azure AD permissions are not reflected in the Rancher UI for logged-in users. This means users retain their previous permissions, even if their group membership changes in Azure AD, such as being moved to a lower-privileged group or being removed from a group. As a result, users retain access to Rancher instead of losing it.

Recommendations For SUSE Rancher versions 2.6.7 through 2.6.12, update to version 2.6.13 or later. For SUSE Rancher versions 2.7.0 through 2.7.3, update to version 2.7.4 or later.