CVE-2023-22650

Name of the Vulnerable Software and Affected Versions Rancher versions prior to 2.7.14 Rancher versions prior to 2.8.5

Description A vulnerability has been identified in which Rancher does not automatically clean up a user which has been deleted from the configured authentication provider. This also applies to disabled or revoked users, and may leave the user’s tokens still usable. An adversary may gain unauthorized access as the user’s access privileges may still be active within Rancher even though they are no longer valid on the configured authentication provider.

Recommendations For versions prior to 2.7.14, update to version 2.7.14 or later to address the issue. For versions prior to 2.8.5, update to version 2.8.5 or later to address the issue. As a temporary workaround, consider manually deleting or disabling inactive users via kubectl or the UI to reflect changes made on the authentication provider. Enable the new user retention process to run periodically and disable and/or delete inactive users, and configure the retention period as needed. Regularly audit the authentication provider’s user accounts for activity and manually deactivate or remove them from Rancher if they are no longer needed.