PT-2024-12302 · Rancher · Rancher
Andy Pitcher
·
Published
2024-02-08
·
Updated
2024-10-16
·
CVE-2023-32194
CVSS v4.0
8.6
High
| Vector | AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
Rancher versions 2.6.0 through 2.6.13
Rancher versions 2.7.0 through 2.7.9
Rancher versions 2.8.0 through 2.8.1
Description
A vulnerability has been identified when granting a create or * global role for a resource type of "namespaces". This can lead to someone being capable of accessing, creating, updating, or deleting a namespace in the project. The subject will receive * permissions for core namespaces, regardless of the API group. This can result in leakage of secrets and abuse of resource quotas.
Recommendations
For Rancher versions 2.6.0 through 2.6.13, update to version 2.6.14.
For Rancher versions 2.7.0 through 2.7.9, update to version 2.7.10.
For Rancher versions 2.8.0 through 2.8.1, update to version 2.8.2.
As a temporary workaround, consider restricting the use of global roles for resource type "namespaces" until a patch is available. Avoid granting create or * global roles for "namespaces" to minimize the risk of exploitation.
Fix
Improper Privilege Management
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Rancher