CVE-2023-22647

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2023-22647
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-22647.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2023-22647
Aliases
Related
Published
2023-06-01T13:15:10Z
Modified
2025-01-08T09:24:13.335927Z
Severity
  • 8.0 (High) CVSS_V3 - CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

An Improper Privilege Management vulnerability in SUSE Rancher allowed standard users to leverage their existing permissions to manipulate Kubernetes secrets in the local cluster, resulting in the secret being deleted, but their read-level permissions to the secret being preserved. When this operation was followed-up by other specially crafted commands, it could result in the user gaining access to tokens belonging to service accounts in the local cluster.

This issue affects Rancher: from >= 2.6.0 before < 2.6.13, from >= 2.7.0 before < 2.7.4.

References

Affected packages

Git / github.com/rancher/rancher

Affected ranges

Type
GIT
Repo
https://github.com/rancher/rancher
Events
Introduced
ce9a7aea4b13fed7acd02cc32667b2ae72f98f5a
Fixed
efc731b553111e5083ee6fb21587491f7e4fcdc9

Affected versions

v2.*

v2.7.0
v2.7.0-novkdm
v2.7.2
v2.7.2-rc1
v2.7.2-rc10
v2.7.2-rc2
v2.7.2-rc3
v2.7.2-rc4
v2.7.2-rc5
v2.7.2-rc6
v2.7.2-rc7
v2.7.2-rc8
v2.7.2-rc9
v2.7.3
v2.7.3-kdm-2.6.12
v2.7.3-rc1
v2.7.3-rc2