Upstream information
Description
A Improper Privilege Management vulnerability in SUSE Rancher causes permission changes in Azure AD not to be reflected to userswhile they are logged in the Rancher UI. This would cause the users to
retain their previous permissions in Rancher, even if they change groups
on Azure AD, for example, to a lower privileged group, or are removed
from a group, thus retaining their access to Rancher instead of losing
it.
This issue affects Rancher: from >= 2.6.7 before < 2.6.13, from >= 2.7.0 before < 2.7.4.
Upstream Security Advisories:
SUSE information
Overall state of this security issue: Resolved
This issue is currently rated as having important severity.
| CNA (SUSE) | National Vulnerability Database | SUSE | |
|---|---|---|---|
| Base Score | 8 | 8.8 | 8 |
| Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H |
| Attack Vector | Network | Network | Network |
| Attack Complexity | Low | Low | Low |
| Privileges Required | Low | Low | Low |
| User Interaction | Required | None | Required |
| Scope | Unchanged | Unchanged | Unchanged |
| Confidentiality Impact | High | High | High |
| Integrity Impact | High | High | High |
| Availability Impact | High | High | High |
| CVSSv3 Version | 3.1 | 3.1 | 3.1 |
SUSE Security Advisories:
- GHSA-vf6j-6739-78m8, published Thu Jun 1 04:44:48 CEST 2023
First public cloud image revisions this CVE is fixed in:
SUSE Timeline for this CVE
CVE page created: Mon Apr 17 15:00:06 2023CVE page last modified: Mon Nov 18 14:11:36 2024