CVE-2021-36775 Deleting PRTBs associated to a group doesn't cause deletion of corresponding RoleBindings

2022-04-0107:40:11

CWE-284

suse

www.cve.org

cve-2021-36775

improper access control

suse rancher

privileges

deletion

rolebindings

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

8.9

Confidence

High

EPSS

0.001

Percentile

37.0%

JSON

a Improper Access Control vulnerability in SUSE Rancher allows users to keep privileges that should have been revoked. This issue affects: SUSE Rancher Rancher versions prior to 2.4.18; Rancher versions prior to 2.5.12; Rancher versions prior to 2.6.3.

CNA Affected

[
  {
    "product": "Rancher",
    "vendor": "SUSE",
    "versions": [
      {
        "lessThan": "2.4.18",
        "status": "affected",
        "version": "Rancher",
        "versionType": "custom"
      }
    ]
  },
  {
    "product": "Rancher",
    "vendor": "SUSE",
    "versions": [
      {
        "lessThan": "2.5.12",
        "status": "affected",
        "version": "Rancher",
        "versionType": "custom"
      }
    ]
  },
  {
    "product": "Rancher",
    "vendor": "SUSE",
    "versions": [
      {
        "lessThan": "2.6.3",
        "status": "affected",
        "version": "Rancher",
        "versionType": "custom"
      }
    ]
  }
]