GHSA-f9xf-jq4j-vqw4

Source

https://github.com/advisories/GHSA-f9xf-jq4j-vqw4

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-f9xf-jq4j-vqw4/GHSA-f9xf-jq4j-vqw4.json

Aliases

• CVE-2021-25318

Published

2024-04-24T21:02:01Z

Modified

2024-04-24T21:28:38.041264Z

Details

A vulnerability was discovered in Rancher versions 2.0 through the aforementioned fixed versions, where users were granted access to resources regardless of the resource's API group. For example Rancher should have allowed users access to apps.catalog.cattle.io, but instead incorrectly gave access to apps.*. Resource affected include:

Downstream clusters: apiservices clusters clusterrepos persistentvolumes storageclasses

Rancher management cluster apprevisions apps catalogtemplates catalogtemplateversions clusteralertgroups clusteralertrules clustercatalogs clusterloggings clustermonitorgraphs clusterregistrationtokens clusterroletemplatebindings clusterscans etcdbackups nodepools nodes notifiers pipelineexecutions pipelines pipelinesettings podsecuritypolicytemplateprojectbindings projectalertgroups projectalertrules projectcatalogs projectloggings projectmonitorgraphs projectroletemplatebindings projects secrets sourcecodeproviderconfigs

There is not a direct mitigation besides upgrading to the patched Rancher versions.

References

• https://nvd.nist.gov/vuln/detail/CVE-2021-25318
• https://github.com/rancher/rancher/issues/33590
• https://bugzilla.suse.com/show_bug.cgi?id=1184913
• https://github.com/rancher/rancher