PT-2024-10046 · Rancher+2 · Rke2+3
Published
2024-06-17
·
Updated
2025-04-16
·
CVE-2023-32197
CVSS v3.1
9.1
Critical
| Vector | AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Rancher Manager versions prior to v2.8.9
RKE2 versions prior to v1.27.15
RKE2 versions prior to v1.28.11
RKE2 versions prior to v1.29.6
RKE2 versions prior to v1.30.2
Description
The issue is related to incorrect permission assignment for a critical resource in the Rancher Manager tool for managing Kubernetes clusters. This can allow a remote attacker to escalate their privileges due to insecure Access Control Lists. The vulnerability affects Windows nodes.
Recommendations
For RKE2 versions prior to v1.27.15, update to version v1.27.15 or later.
For RKE2 versions prior to v1.28.11, update to version v1.28.11 or later.
For RKE2 versions prior to v1.29.6, update to version v1.29.6 or later.
For RKE2 versions prior to v1.30.2, update to version v1.30.2 or later.
For Rancher Manager versions prior to v2.8.9, update to version v2.8.9 or later.
As a temporary workaround, consider restricting access to the vulnerable
github.com/rancher/rke2 and github.com/rancher/rancher modules until a patch is available.Exploit
Fix
LPE
Incorrect Permission
Improper Privilege Management
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Rke2
Rancher Manager
Suse
Windows