CVE-2023-32199

Name of the Vulnerable Software and Affected Versions Rancher versions prior to 2.12.3 Rancher versions prior to 2.11.7

Description A flaw exists in Rancher Manager where removing a custom GlobalRole granting administrative access, or its corresponding binding, does not revoke the user's access to clusters. This impacts custom Global Roles with a * on * in * rule for resources or a * on * rule for non-resource URLs. Specifically, when a user is bound to such a custom admin GlobalRole, a ClusterRoleBinding is created on all clusters, binding them to the cluster-admin ClusterRole. Deleting the GlobalRole or its GlobalRoleBinding does not remove this ClusterRoleBinding, allowing continued access. The issue allows a user to retain cluster access even after being unassigned from the custom admin global role or the role's deletion. Orphaned ClusterRoleBindings are marked with the annotation authz.cluster.cattle.io/admin-globalrole-missing=true.

Recommendations Versions prior to 2.12.3: Upgrade to version 2.12.3 or later. Versions prior to 2.11.7: Upgrade to version 2.11.7 or later. If upgrading is not possible, manually identify and remove orphaned ClusterRoleBindings using the command: kubectl get clusterrolebinding -o jsonpath='{range .items[?(@.metadata.annotations.authz.cluster.cattle.io/admin-globalrole-missing=="true")]}{.metadata.name}{" "}{end}'.