Rancher does not properly specify ApiGroup when creating Kubernetes RBAC resources

A vulnerability was discovered in Rancher versions 2.0 through the aforementioned fixed versions, where users were granted access to resources regardless of the resource's API group. For example Rancher should have allowed users access to apps.catalog.cattle.io, but instead incorrectly gave access to apps.*. Resource affected include:

Downstream clusters:
apiservices
clusters
clusterrepos
persistentvolumes
storageclasses

Rancher management cluster
apprevisions
apps
catalogtemplates
catalogtemplateversions
clusteralertgroups
clusteralertrules
clustercatalogs
clusterloggings
clustermonitorgraphs
clusterregistrationtokens
clusterroletemplatebindings
clusterscans
etcdbackups
nodepools
nodes
notifiers
pipelineexecutions
pipelines
pipelinesettings
podsecuritypolicytemplateprojectbindings
projectalertgroups
projectalertrules
projectcatalogs
projectloggings
projectmonitorgraphs
projectroletemplatebindings
projects
secrets
sourcecodeproviderconfigs

There is not a direct mitigation besides upgrading to the patched Rancher versions.

References

cbron published to rancher/rancher Jul 15, 2021

Published by the National Vulnerability Database Jul 15, 2021

Published to the GitHub Advisory Database Apr 24, 2024

Reviewed Apr 24, 2024

Last updated Aug 7, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Package

Affected versions

Patched versions

Description

References

Severity

CVSS overall score

CVSS v4 base metrics

Exploitability Metrics

Vulnerable System Impact Metrics

Subsequent System Impact Metrics

CVSS v4 base metrics

Exploitability Metrics

Vulnerable System Impact Metrics

Subsequent System Impact Metrics

EPSS score

Weaknesses

CVE ID

GHSA ID

Source code