GHSA-f9xf-jq4j-vqw4
Suggest an improvement- Source
- https://github.com/advisories/GHSA-f9xf-jq4j-vqw4
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-f9xf-jq4j-vqw4/GHSA-f9xf-jq4j-vqw4.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-f9xf-jq4j-vqw4
- Aliases
- Published
- 2024-04-24T21:02:01Z
- Modified
- 2024-07-08T20:41:27Z
- Severity
-
- 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Rancher does not properly specify ApiGroup when creating Kubernetes RBAC resources
- Details
-
A vulnerability was discovered in Rancher versions 2.0 through the aforementioned fixed versions, where users were granted access to resources regardless of the resource's API group. For example Rancher should have allowed users access to
apps.catalog.cattle.io, but instead incorrectly gave access toapps.*. Resource affected include:Downstream clusters: apiservices clusters clusterrepos persistentvolumes storageclasses
Rancher management cluster apprevisions apps catalogtemplates catalogtemplateversions clusteralertgroups clusteralertrules clustercatalogs clusterloggings clustermonitorgraphs clusterregistrationtokens clusterroletemplatebindings clusterscans etcdbackups nodepools nodes notifiers pipelineexecutions pipelines pipelinesettings podsecuritypolicytemplateprojectbindings projectalertgroups projectalertrules projectcatalogs projectloggings projectmonitorgraphs projectroletemplatebindings projects secrets sourcecodeproviderconfigs
There is not a direct mitigation besides upgrading to the patched Rancher versions.
- Database specific
{ "nvd_published_at": "2021-07-15T09:15:00Z", "cwe_ids": [ "CWE-732" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2024-04-24T21:02:01Z" }- References
Affected packages
Go / github.com/rancher/rancher
Package
- Name
- github.com/rancher/rancher
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/rancher/rancher
Go / github.com/rancher/rancher
Package
- Name
- github.com/rancher/rancher
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/rancher/rancher