Rancher Security Vulnerabilities - 2023
In Rancher 2.x before 2.6.13 and 2.7.x before 2.7.4, an incorrectly applied authorization check allows users who have certain access to a namespace to move that namespace to a different project.
8.8CVSS
8.6AI Score
0.001EPSS
A Missing Authorization vulnerability in of SUSE Rancher allows authenticated user to create an unauthorized shell pod and kubectl access in the local cluster This issue affects: SUSE Rancher Rancher versions prior to 2.5.17; Rancher versions prior to 2.6.10; Rancher versions prior to 2.7.1.
8.8CVSS
8.2AI Score
0.001EPSS
A Insufficient Entropy vulnerability in SUSE Rancher allows attackers that gained knowledge of the cattle-token to continue abusing this even after the token was renewed. This issue affects: SUSE Rancher Rancher versions prior to 2.6.10; Rancher versions prior to 2.7.1.
9.8CVSS
9.2AI Score
0.002EPSS
A Cleartext Storage of Sensitive Information vulnerability in SUSE Rancher allows users on managed clusters to gain access to credentials. The impact depends on the credentials exposed This issue affects: SUSE Rancher Rancher versions prior to 2.5.17; Rancher versions prior to 2.6.10; Rancher versi...
9.9CVSS
8.7AI Score
0.001EPSS
A Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in SUSE Rancher allows code execution for user with the ability to add an untrusted Helm catalog or modifying the URL configuration used to download KDM (only admin users by default) This issu...
7.6CVSS
6.8AI Score
0.001EPSS
A Improper Privilege Management vulnerability in SUSE Rancher, allows users with access to the escalate verb on PRTBs to escalate permissions for any -promoted resource in any cluster. This issue affects: SUSE Rancher Rancher versions prior to 2.5.17; Rancher versions prior to 2.6.10.
8.8CVSS
8.7AI Score
0.001EPSS
An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SUSE Rancher allows users in some higher-privileged groups to to inject code that isexecuted within another user's browser, allowing the attacker to stealsensitive information, manipulate web co...
8.4CVSS
8.2AI Score
0.001EPSS
An Improper Privilege Management vulnerability in SUSE Rancher allowed standard users to leverage their existing permissions to manipulate Kubernetes secrets in the localcluster, resulting in the secret being deleted, but their read-levelpermissions to the secret being preserved. When this operatio...
9.9CVSS
7.5AI Score
0.0004EPSS
A Improper Privilege Management vulnerability in SUSE Rancher causes permission changes in Azure AD not to be reflected to userswhile they are logged in the Rancher UI. This would cause the users toretain their previous permissions in Rancher, even if they change groupson Azure AD, for example, to ...
8.8CVSS
8.4AI Score
0.001EPSS
Improper Privilege Management vulnerability in SUSE Rancher allows Privilege Escalation. A failure in the update logic of Rancher's admission Webhook may lead tothe misconfiguration of the Webhook. This component enforces validationrules and security checks before resources are admitted into theKub...
9.9CVSS
9.4AI Score
0.001EPSS