Upstream information
Description
An Improper Privilege Management vulnerability in SUSE Rancher allowed standard users to leverage their existing permissions to manipulate Kubernetes secrets in the localcluster, resulting in the secret being deleted, but their read-level
permissions to the secret being preserved. When this operation was
followed-up by other specially crafted commands, it could result in the
user gaining access to tokens belonging to service accounts in the local cluster.
This issue affects Rancher: from >= 2.6.0 before < 2.6.13, from >= 2.7.0 before < 2.7.4.
Upstream Security Advisories:
SUSE information
Overall state of this security issue: Resolved
This issue is currently rated as having critical severity.
| CNA (SUSE) | National Vulnerability Database | SUSE | |
|---|---|---|---|
| Base Score | 9.9 | 8 | 9.9 |
| Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H | CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
| Attack Vector | Network | Adjacent Network | Network |
| Attack Complexity | Low | Low | Low |
| Privileges Required | Low | Low | Low |
| User Interaction | None | None | None |
| Scope | Changed | Unchanged | Changed |
| Confidentiality Impact | High | High | High |
| Integrity Impact | High | High | High |
| Availability Impact | High | High | High |
| CVSSv3 Version | 3.1 | 3.1 | 3.1 |
SUSE Security Advisories:
- GHSA-p976-h52c-26p6, published Thu Jun 1 04:44:47 CEST 2023
First public cloud image revisions this CVE is fixed in:
SUSE Timeline for this CVE
CVE page created: Mon Apr 17 15:00:06 2023CVE page last modified: Mon Nov 18 14:11:36 2024