Name of the Vulnerable Software and Affected Versions Rancher versions 2.5.0 through 2.5.16 Rancher versions 2.6.0 through 2.6.9 Rancher version 2.7.0

Description This issue affects Rancher setups with an external authentication provider configured or previously configured. When an external authentication provider is disabled, the associated tokens are not revoked, allowing users to retain access to Rancher and kubectl access to clusters managed by Rancher. The problem also occurs when the auth provider is configured to use specific access level scopes and users are removed from the authorized lists. Tokens for authenticated sessions have a time to live set to 960 minutes by default, while kubeconfig tokens are configured to never expire.

Recommendations For versions 2.5.0 through 2.5.16, update to version 2.5.17 or later. For versions 2.6.0 through 2.6.9, update to version 2.6.10 or later. For version 2.7.0, update to version 2.7.1 or later. As a temporary workaround for versions that cannot be updated, review and remove tokens associated with auth providers manually by executing kubectl get tokens and kubectl delete tokens <token name>. After updating to a patched version, review existing tokens and remove tokens related to disabled auth providers.