Lucene search

K
githubGitHub Advisory DatabaseGHSA-28G7-896H-695V
HistoryApr 24, 2024 - 9:01 p.m.

Rancher's Failure to delete orphaned role bindings does not revoke project level access from group based authentication

2024-04-2421:01:50
CWE-284
GitHub Advisory Database
github.com
11
rancher
security
vulnerability
orphaned
role bindings
access
authentication
patched
upgrade
cluster scoped
resources
group based
authorization logic
mitigation
documentation

CVSS2

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

7.1

Confidence

High

EPSS

0.001

Percentile

37.0%

Impact

This vulnerability only affects customers using group based authentication in Rancher versions up to and including 2.4.17, 2.5.11 and 2.6.2.

When removing a Project Role associated to a group from a project, the bindings that grant access to cluster scoped resources for those subjects do not get deleted. This happens due to an incomplete authorization logic check. A user who is a member of an affected group with authenticated access to Rancher could use this to access resources they should no longer have access to. The exposure level will depend on the original permission level granted to the affected project role.

Patches

Patched versions include releases 2.4.18, 2.5.12, 2.6.3 and later versions.

Workarounds

Limit access in Rancher to trusted users. There is not a direct mitigation besides upgrading to the patched Rancher versions.

References

Cluster and project roles documentation for Rancher 2.6, 2.5 and 2.4.

For more information

If you have any questions or comments about this advisory:

Affected configurations

Vulners
Node
rancherrancherRange2.6.02.6.2
OR
rancherrancherRange2.5.02.5.11
OR
rancherrancherRange2.4.17
VendorProductVersionCPE
rancherrancher*cpe:2.3:a:rancher:rancher:*:*:*:*:*:*:*:*

CVSS2

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

7.1

Confidence

High

EPSS

0.001

Percentile

37.0%

Related for GHSA-28G7-896H-695V