Search criteria
ⓘ
Use full-text search for keyword queries.
Combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by dates instead of relevance.
10 vulnerabilities found for Rancher by Rancher
CVE-2021-36776 (GCVE-0-2021-36776)
Vulnerability from nvd – Published: 2022-04-01 07:40 – Updated: 2024-09-17 01:51
VLAI?
Title
Steve API proxy impersonation
Summary
A Improper Access Control vulnerability in SUSE Rancher allows remote attackers impersonate arbitrary users. This issue affects: SUSE Rancher Rancher versions prior to 2.5.10.
Severity ?
8.8 (High)
CWE
- CWE-284 - Improper Access Control
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Date Public ?
2022-04-01 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:01:59.794Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1189413"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Rancher",
"vendor": "SUSE",
"versions": [
{
"lessThan": "2.5.10",
"status": "affected",
"version": "Rancher",
"versionType": "custom"
}
]
}
],
"datePublic": "2022-04-01T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A Improper Access Control vulnerability in SUSE Rancher allows remote attackers impersonate arbitrary users. This issue affects: SUSE Rancher Rancher versions prior to 2.5.10."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-04T12:15:16.000Z",
"orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
"shortName": "suse"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1189413"
}
],
"source": {
"advisory": "https://bugzilla.suse.com/show_bug.cgi?id=1189413",
"defect": [
"1189413"
],
"discovery": "INTERNAL"
},
"title": "Steve API proxy impersonation",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@suse.com",
"DATE_PUBLIC": "2022-04-01T00:00:00.000Z",
"ID": "CVE-2021-36776",
"STATE": "PUBLIC",
"TITLE": "Steve API proxy impersonation"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Rancher",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "Rancher",
"version_value": "2.5.10"
}
]
}
}
]
},
"vendor_name": "SUSE"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A Improper Access Control vulnerability in SUSE Rancher allows remote attackers impersonate arbitrary users. This issue affects: SUSE Rancher Rancher versions prior to 2.5.10."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-284: Improper Access Control"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugzilla.suse.com/show_bug.cgi?id=1189413",
"refsource": "CONFIRM",
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1189413"
}
]
},
"source": {
"advisory": "https://bugzilla.suse.com/show_bug.cgi?id=1189413",
"defect": [
"1189413"
],
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
"assignerShortName": "suse",
"cveId": "CVE-2021-36776",
"datePublished": "2022-04-01T07:40:13.289Z",
"dateReserved": "2021-07-19T00:00:00.000Z",
"dateUpdated": "2024-09-17T01:51:56.723Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-36775 (GCVE-0-2021-36775)
Vulnerability from nvd – Published: 2022-04-01 07:40 – Updated: 2024-09-16 18:34
VLAI?
Title
Deleting PRTBs associated to a group doesn't cause deletion of corresponding RoleBindings
Summary
a Improper Access Control vulnerability in SUSE Rancher allows users to keep privileges that should have been revoked. This issue affects: SUSE Rancher Rancher versions prior to 2.4.18; Rancher versions prior to 2.5.12; Rancher versions prior to 2.6.3.
Severity ?
8.8 (High)
CWE
- CWE-284 - Improper Access Control
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
Date Public ?
2022-04-01 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:01:59.325Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1189120"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Rancher",
"vendor": "SUSE",
"versions": [
{
"lessThan": "2.4.18",
"status": "affected",
"version": "Rancher",
"versionType": "custom"
}
]
},
{
"product": "Rancher",
"vendor": "SUSE",
"versions": [
{
"lessThan": "2.5.12",
"status": "affected",
"version": "Rancher",
"versionType": "custom"
}
]
},
{
"product": "Rancher",
"vendor": "SUSE",
"versions": [
{
"lessThan": "2.6.3",
"status": "affected",
"version": "Rancher",
"versionType": "custom"
}
]
}
],
"datePublic": "2022-04-01T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "a Improper Access Control vulnerability in SUSE Rancher allows users to keep privileges that should have been revoked. This issue affects: SUSE Rancher Rancher versions prior to 2.4.18; Rancher versions prior to 2.5.12; Rancher versions prior to 2.6.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-04T12:15:15.000Z",
"orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
"shortName": "suse"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1189120"
}
],
"source": {
"advisory": "https://bugzilla.suse.com/show_bug.cgi?id=1189120",
"defect": [
"1189120"
],
"discovery": "INTERNAL"
},
"title": "Deleting PRTBs associated to a group doesn\u0027t cause deletion of corresponding RoleBindings",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@suse.com",
"DATE_PUBLIC": "2022-04-01T00:00:00.000Z",
"ID": "CVE-2021-36775",
"STATE": "PUBLIC",
"TITLE": "Deleting PRTBs associated to a group doesn\u0027t cause deletion of corresponding RoleBindings"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Rancher",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "Rancher",
"version_value": "2.4.18"
}
]
}
},
{
"product_name": "Rancher",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "Rancher",
"version_value": "2.5.12"
}
]
}
},
{
"product_name": "Rancher",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "Rancher",
"version_value": "2.6.3"
}
]
}
}
]
},
"vendor_name": "SUSE"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "a Improper Access Control vulnerability in SUSE Rancher allows users to keep privileges that should have been revoked. This issue affects: SUSE Rancher Rancher versions prior to 2.4.18; Rancher versions prior to 2.5.12; Rancher versions prior to 2.6.3."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-284: Improper Access Control"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugzilla.suse.com/show_bug.cgi?id=1189120",
"refsource": "CONFIRM",
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1189120"
}
]
},
"source": {
"advisory": "https://bugzilla.suse.com/show_bug.cgi?id=1189120",
"defect": [
"1189120"
],
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
"assignerShortName": "suse",
"cveId": "CVE-2021-36775",
"datePublished": "2022-04-01T07:40:11.706Z",
"dateReserved": "2021-07-19T00:00:00.000Z",
"dateUpdated": "2024-09-16T18:34:57.999Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-31999 (GCVE-0-2021-31999)
Vulnerability from nvd – Published: 2021-07-15 08:55 – Updated: 2024-09-17 02:26
VLAI?
Title
Rancher: Privilege escalation vulnerability via malicious Connection header
Summary
A Reliance on Untrusted Inputs in a Security Decision vulnerability in Rancher allows users in the cluster to act as others users in the cluster by forging the "Impersonate-User" or "Impersonate-Group" headers. This issue affects: Rancher versions prior to 2.5.9. Rancher versions prior to 2.4.16.
Severity ?
8.8 (High)
CWE
- CWE-807 - Reliance on Untrusted Inputs in a Security Decision
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Rancher | Rancher |
Affected:
Rancher , < 2.5.9
(custom)
|
|||||||
|
|||||||||
Date Public ?
2021-07-15 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:10:31.328Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1187084"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Rancher",
"vendor": "Rancher",
"versions": [
{
"lessThan": "2.5.9",
"status": "affected",
"version": "Rancher",
"versionType": "custom"
}
]
},
{
"product": "SUSE Linux Enterprise Server 15",
"vendor": "Rancher",
"versions": [
{
"lessThan": "2.4.16",
"status": "affected",
"version": "Rancher",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-07-15T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A Reliance on Untrusted Inputs in a Security Decision vulnerability in Rancher allows users in the cluster to act as others users in the cluster by forging the \"Impersonate-User\" or \"Impersonate-Group\" headers. This issue affects: Rancher versions prior to 2.5.9. Rancher versions prior to 2.4.16."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-807",
"description": "CWE-807: Reliance on Untrusted Inputs in a Security Decision",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-15T08:55:18.000Z",
"orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
"shortName": "suse"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1187084"
}
],
"source": {
"advisory": "https://bugzilla.suse.com/show_bug.cgi?id=1187084",
"defect": [
"1187084"
],
"discovery": "INTERNAL"
},
"title": "Rancher: Privilege escalation vulnerability via malicious Connection header",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@suse.com",
"DATE_PUBLIC": "2021-07-15T00:00:00.000Z",
"ID": "CVE-2021-31999",
"STATE": "PUBLIC",
"TITLE": "Rancher: Privilege escalation vulnerability via malicious Connection header"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Rancher",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "Rancher",
"version_value": "2.5.9"
}
]
}
},
{
"product_name": "SUSE Linux Enterprise Server 15",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "Rancher",
"version_value": "2.4.16"
}
]
}
}
]
},
"vendor_name": "Rancher"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A Reliance on Untrusted Inputs in a Security Decision vulnerability in Rancher allows users in the cluster to act as others users in the cluster by forging the \"Impersonate-User\" or \"Impersonate-Group\" headers. This issue affects: Rancher versions prior to 2.5.9. Rancher versions prior to 2.4.16."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-807: Reliance on Untrusted Inputs in a Security Decision"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugzilla.suse.com/show_bug.cgi?id=1187084",
"refsource": "CONFIRM",
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1187084"
}
]
},
"source": {
"advisory": "https://bugzilla.suse.com/show_bug.cgi?id=1187084",
"defect": [
"1187084"
],
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
"assignerShortName": "suse",
"cveId": "CVE-2021-31999",
"datePublished": "2021-07-15T08:55:18.646Z",
"dateReserved": "2021-05-03T00:00:00.000Z",
"dateUpdated": "2024-09-17T02:26:40.038Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-25320 (GCVE-0-2021-25320)
Vulnerability from nvd – Published: 2021-07-15 08:55 – Updated: 2024-09-16 20:21
VLAI?
Title
Rancher: Cloud credentials can be used through proxy API by users without access
Summary
A Improper Access Control vulnerability in Rancher, allows users in the cluster to make request to cloud providers by creating requests with the cloud-credential ID. Rancher in this case would attach the requested credentials without further checks This issue affects: Rancher versions prior to 2.5.9; Rancher versions prior to 2.4.16.
Severity ?
9.9 (Critical)
CWE
- CWE-284 - Improper Access Control
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
Date Public ?
2021-07-15 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T20:03:04.121Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1185514"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Rancher",
"vendor": "Rancher",
"versions": [
{
"lessThan": "2.5.9",
"status": "affected",
"version": "Rancher",
"versionType": "custom"
}
]
},
{
"product": "Rancher",
"vendor": "Rancher",
"versions": [
{
"lessThan": "2.4.16",
"status": "affected",
"version": "Rancher",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-07-15T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A Improper Access Control vulnerability in Rancher, allows users in the cluster to make request to cloud providers by creating requests with the cloud-credential ID. Rancher in this case would attach the requested credentials without further checks This issue affects: Rancher versions prior to 2.5.9; Rancher versions prior to 2.4.16."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-15T08:55:17.000Z",
"orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
"shortName": "suse"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1185514"
}
],
"source": {
"advisory": "https://bugzilla.suse.com/show_bug.cgi?id=1185514",
"defect": [
"1185514"
],
"discovery": "INTERNAL"
},
"title": "Rancher: Cloud credentials can be used through proxy API by users without access",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@suse.com",
"DATE_PUBLIC": "2021-07-15T00:00:00.000Z",
"ID": "CVE-2021-25320",
"STATE": "PUBLIC",
"TITLE": "Rancher: Cloud credentials can be used through proxy API by users without access"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Rancher",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "Rancher",
"version_value": "2.5.9"
}
]
}
},
{
"product_name": "Rancher",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "Rancher",
"version_value": "2.4.16"
}
]
}
}
]
},
"vendor_name": "Rancher"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A Improper Access Control vulnerability in Rancher, allows users in the cluster to make request to cloud providers by creating requests with the cloud-credential ID. Rancher in this case would attach the requested credentials without further checks This issue affects: Rancher versions prior to 2.5.9; Rancher versions prior to 2.4.16."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-284: Improper Access Control"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugzilla.suse.com/show_bug.cgi?id=1185514",
"refsource": "CONFIRM",
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1185514"
}
]
},
"source": {
"advisory": "https://bugzilla.suse.com/show_bug.cgi?id=1185514",
"defect": [
"1185514"
],
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
"assignerShortName": "suse",
"cveId": "CVE-2021-25320",
"datePublished": "2021-07-15T08:55:17.141Z",
"dateReserved": "2021-01-19T00:00:00.000Z",
"dateUpdated": "2024-09-16T20:21:51.810Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-25318 (GCVE-0-2021-25318)
Vulnerability from nvd – Published: 2021-07-15 08:55 – Updated: 2024-09-16 20:37
VLAI?
Title
rancher: API group not properly specified when creating Kubernetes RBAC resources
Summary
A Incorrect Permission Assignment for Critical Resource vulnerability in Rancher allows users in the cluster to modify resources they should not have access to. This issue affects: Rancher versions prior to 2.5.9 ; Rancher versions prior to 2.4.16.
Severity ?
8.8 (High)
CWE
- CWE-732 - Incorrect Permission Assignment for Critical Resource
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
Date Public ?
2021-07-15 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T20:03:05.196Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1184913"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Rancher",
"vendor": "Rancher",
"versions": [
{
"lessThan": "2.5.9",
"status": "affected",
"version": "Rancher",
"versionType": "custom"
}
]
},
{
"product": "Rancher",
"vendor": "Rancher",
"versions": [
{
"lessThan": "2.4.16",
"status": "affected",
"version": "Rancher",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-07-15T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A Incorrect Permission Assignment for Critical Resource vulnerability in Rancher allows users in the cluster to modify resources they should not have access to. This issue affects: Rancher versions prior to 2.5.9 ; Rancher versions prior to 2.4.16."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-732",
"description": "CWE-732: Incorrect Permission Assignment for Critical Resource",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-15T08:55:15.000Z",
"orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
"shortName": "suse"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1184913"
}
],
"source": {
"advisory": "https://bugzilla.suse.com/show_bug.cgi?id=1184913",
"defect": [
"1184913"
],
"discovery": "EXTERNAL"
},
"title": "rancher: API group not properly specified when creating Kubernetes RBAC resources",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@suse.com",
"DATE_PUBLIC": "2021-07-15T00:00:00.000Z",
"ID": "CVE-2021-25318",
"STATE": "PUBLIC",
"TITLE": "rancher: API group not properly specified when creating Kubernetes RBAC resources"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Rancher",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "Rancher",
"version_value": "2.5.9"
}
]
}
},
{
"product_name": "Rancher",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "Rancher",
"version_value": "2.4.16"
}
]
}
}
]
},
"vendor_name": "Rancher"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A Incorrect Permission Assignment for Critical Resource vulnerability in Rancher allows users in the cluster to modify resources they should not have access to. This issue affects: Rancher versions prior to 2.5.9 ; Rancher versions prior to 2.4.16."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-732: Incorrect Permission Assignment for Critical Resource"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugzilla.suse.com/show_bug.cgi?id=1184913",
"refsource": "CONFIRM",
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1184913"
}
]
},
"source": {
"advisory": "https://bugzilla.suse.com/show_bug.cgi?id=1184913",
"defect": [
"1184913"
],
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
"assignerShortName": "suse",
"cveId": "CVE-2021-25318",
"datePublished": "2021-07-15T08:55:15.569Z",
"dateReserved": "2021-01-19T00:00:00.000Z",
"dateUpdated": "2024-09-16T20:37:30.651Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-36776 (GCVE-0-2021-36776)
Vulnerability from cvelistv5 – Published: 2022-04-01 07:40 – Updated: 2024-09-17 01:51
VLAI?
Title
Steve API proxy impersonation
Summary
A Improper Access Control vulnerability in SUSE Rancher allows remote attackers impersonate arbitrary users. This issue affects: SUSE Rancher Rancher versions prior to 2.5.10.
Severity ?
8.8 (High)
CWE
- CWE-284 - Improper Access Control
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Date Public ?
2022-04-01 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:01:59.794Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1189413"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Rancher",
"vendor": "SUSE",
"versions": [
{
"lessThan": "2.5.10",
"status": "affected",
"version": "Rancher",
"versionType": "custom"
}
]
}
],
"datePublic": "2022-04-01T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A Improper Access Control vulnerability in SUSE Rancher allows remote attackers impersonate arbitrary users. This issue affects: SUSE Rancher Rancher versions prior to 2.5.10."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-04T12:15:16.000Z",
"orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
"shortName": "suse"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1189413"
}
],
"source": {
"advisory": "https://bugzilla.suse.com/show_bug.cgi?id=1189413",
"defect": [
"1189413"
],
"discovery": "INTERNAL"
},
"title": "Steve API proxy impersonation",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@suse.com",
"DATE_PUBLIC": "2022-04-01T00:00:00.000Z",
"ID": "CVE-2021-36776",
"STATE": "PUBLIC",
"TITLE": "Steve API proxy impersonation"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Rancher",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "Rancher",
"version_value": "2.5.10"
}
]
}
}
]
},
"vendor_name": "SUSE"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A Improper Access Control vulnerability in SUSE Rancher allows remote attackers impersonate arbitrary users. This issue affects: SUSE Rancher Rancher versions prior to 2.5.10."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-284: Improper Access Control"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugzilla.suse.com/show_bug.cgi?id=1189413",
"refsource": "CONFIRM",
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1189413"
}
]
},
"source": {
"advisory": "https://bugzilla.suse.com/show_bug.cgi?id=1189413",
"defect": [
"1189413"
],
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
"assignerShortName": "suse",
"cveId": "CVE-2021-36776",
"datePublished": "2022-04-01T07:40:13.289Z",
"dateReserved": "2021-07-19T00:00:00.000Z",
"dateUpdated": "2024-09-17T01:51:56.723Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-36775 (GCVE-0-2021-36775)
Vulnerability from cvelistv5 – Published: 2022-04-01 07:40 – Updated: 2024-09-16 18:34
VLAI?
Title
Deleting PRTBs associated to a group doesn't cause deletion of corresponding RoleBindings
Summary
a Improper Access Control vulnerability in SUSE Rancher allows users to keep privileges that should have been revoked. This issue affects: SUSE Rancher Rancher versions prior to 2.4.18; Rancher versions prior to 2.5.12; Rancher versions prior to 2.6.3.
Severity ?
8.8 (High)
CWE
- CWE-284 - Improper Access Control
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
Date Public ?
2022-04-01 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:01:59.325Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1189120"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Rancher",
"vendor": "SUSE",
"versions": [
{
"lessThan": "2.4.18",
"status": "affected",
"version": "Rancher",
"versionType": "custom"
}
]
},
{
"product": "Rancher",
"vendor": "SUSE",
"versions": [
{
"lessThan": "2.5.12",
"status": "affected",
"version": "Rancher",
"versionType": "custom"
}
]
},
{
"product": "Rancher",
"vendor": "SUSE",
"versions": [
{
"lessThan": "2.6.3",
"status": "affected",
"version": "Rancher",
"versionType": "custom"
}
]
}
],
"datePublic": "2022-04-01T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "a Improper Access Control vulnerability in SUSE Rancher allows users to keep privileges that should have been revoked. This issue affects: SUSE Rancher Rancher versions prior to 2.4.18; Rancher versions prior to 2.5.12; Rancher versions prior to 2.6.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-04T12:15:15.000Z",
"orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
"shortName": "suse"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1189120"
}
],
"source": {
"advisory": "https://bugzilla.suse.com/show_bug.cgi?id=1189120",
"defect": [
"1189120"
],
"discovery": "INTERNAL"
},
"title": "Deleting PRTBs associated to a group doesn\u0027t cause deletion of corresponding RoleBindings",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@suse.com",
"DATE_PUBLIC": "2022-04-01T00:00:00.000Z",
"ID": "CVE-2021-36775",
"STATE": "PUBLIC",
"TITLE": "Deleting PRTBs associated to a group doesn\u0027t cause deletion of corresponding RoleBindings"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Rancher",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "Rancher",
"version_value": "2.4.18"
}
]
}
},
{
"product_name": "Rancher",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "Rancher",
"version_value": "2.5.12"
}
]
}
},
{
"product_name": "Rancher",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "Rancher",
"version_value": "2.6.3"
}
]
}
}
]
},
"vendor_name": "SUSE"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "a Improper Access Control vulnerability in SUSE Rancher allows users to keep privileges that should have been revoked. This issue affects: SUSE Rancher Rancher versions prior to 2.4.18; Rancher versions prior to 2.5.12; Rancher versions prior to 2.6.3."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-284: Improper Access Control"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugzilla.suse.com/show_bug.cgi?id=1189120",
"refsource": "CONFIRM",
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1189120"
}
]
},
"source": {
"advisory": "https://bugzilla.suse.com/show_bug.cgi?id=1189120",
"defect": [
"1189120"
],
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
"assignerShortName": "suse",
"cveId": "CVE-2021-36775",
"datePublished": "2022-04-01T07:40:11.706Z",
"dateReserved": "2021-07-19T00:00:00.000Z",
"dateUpdated": "2024-09-16T18:34:57.999Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-31999 (GCVE-0-2021-31999)
Vulnerability from cvelistv5 – Published: 2021-07-15 08:55 – Updated: 2024-09-17 02:26
VLAI?
Title
Rancher: Privilege escalation vulnerability via malicious Connection header
Summary
A Reliance on Untrusted Inputs in a Security Decision vulnerability in Rancher allows users in the cluster to act as others users in the cluster by forging the "Impersonate-User" or "Impersonate-Group" headers. This issue affects: Rancher versions prior to 2.5.9. Rancher versions prior to 2.4.16.
Severity ?
8.8 (High)
CWE
- CWE-807 - Reliance on Untrusted Inputs in a Security Decision
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Rancher | Rancher |
Affected:
Rancher , < 2.5.9
(custom)
|
|||||||
|
|||||||||
Date Public ?
2021-07-15 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:10:31.328Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1187084"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Rancher",
"vendor": "Rancher",
"versions": [
{
"lessThan": "2.5.9",
"status": "affected",
"version": "Rancher",
"versionType": "custom"
}
]
},
{
"product": "SUSE Linux Enterprise Server 15",
"vendor": "Rancher",
"versions": [
{
"lessThan": "2.4.16",
"status": "affected",
"version": "Rancher",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-07-15T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A Reliance on Untrusted Inputs in a Security Decision vulnerability in Rancher allows users in the cluster to act as others users in the cluster by forging the \"Impersonate-User\" or \"Impersonate-Group\" headers. This issue affects: Rancher versions prior to 2.5.9. Rancher versions prior to 2.4.16."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-807",
"description": "CWE-807: Reliance on Untrusted Inputs in a Security Decision",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-15T08:55:18.000Z",
"orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
"shortName": "suse"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1187084"
}
],
"source": {
"advisory": "https://bugzilla.suse.com/show_bug.cgi?id=1187084",
"defect": [
"1187084"
],
"discovery": "INTERNAL"
},
"title": "Rancher: Privilege escalation vulnerability via malicious Connection header",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@suse.com",
"DATE_PUBLIC": "2021-07-15T00:00:00.000Z",
"ID": "CVE-2021-31999",
"STATE": "PUBLIC",
"TITLE": "Rancher: Privilege escalation vulnerability via malicious Connection header"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Rancher",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "Rancher",
"version_value": "2.5.9"
}
]
}
},
{
"product_name": "SUSE Linux Enterprise Server 15",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "Rancher",
"version_value": "2.4.16"
}
]
}
}
]
},
"vendor_name": "Rancher"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A Reliance on Untrusted Inputs in a Security Decision vulnerability in Rancher allows users in the cluster to act as others users in the cluster by forging the \"Impersonate-User\" or \"Impersonate-Group\" headers. This issue affects: Rancher versions prior to 2.5.9. Rancher versions prior to 2.4.16."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-807: Reliance on Untrusted Inputs in a Security Decision"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugzilla.suse.com/show_bug.cgi?id=1187084",
"refsource": "CONFIRM",
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1187084"
}
]
},
"source": {
"advisory": "https://bugzilla.suse.com/show_bug.cgi?id=1187084",
"defect": [
"1187084"
],
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
"assignerShortName": "suse",
"cveId": "CVE-2021-31999",
"datePublished": "2021-07-15T08:55:18.646Z",
"dateReserved": "2021-05-03T00:00:00.000Z",
"dateUpdated": "2024-09-17T02:26:40.038Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-25320 (GCVE-0-2021-25320)
Vulnerability from cvelistv5 – Published: 2021-07-15 08:55 – Updated: 2024-09-16 20:21
VLAI?
Title
Rancher: Cloud credentials can be used through proxy API by users without access
Summary
A Improper Access Control vulnerability in Rancher, allows users in the cluster to make request to cloud providers by creating requests with the cloud-credential ID. Rancher in this case would attach the requested credentials without further checks This issue affects: Rancher versions prior to 2.5.9; Rancher versions prior to 2.4.16.
Severity ?
9.9 (Critical)
CWE
- CWE-284 - Improper Access Control
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
Date Public ?
2021-07-15 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T20:03:04.121Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1185514"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Rancher",
"vendor": "Rancher",
"versions": [
{
"lessThan": "2.5.9",
"status": "affected",
"version": "Rancher",
"versionType": "custom"
}
]
},
{
"product": "Rancher",
"vendor": "Rancher",
"versions": [
{
"lessThan": "2.4.16",
"status": "affected",
"version": "Rancher",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-07-15T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A Improper Access Control vulnerability in Rancher, allows users in the cluster to make request to cloud providers by creating requests with the cloud-credential ID. Rancher in this case would attach the requested credentials without further checks This issue affects: Rancher versions prior to 2.5.9; Rancher versions prior to 2.4.16."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-15T08:55:17.000Z",
"orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
"shortName": "suse"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1185514"
}
],
"source": {
"advisory": "https://bugzilla.suse.com/show_bug.cgi?id=1185514",
"defect": [
"1185514"
],
"discovery": "INTERNAL"
},
"title": "Rancher: Cloud credentials can be used through proxy API by users without access",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@suse.com",
"DATE_PUBLIC": "2021-07-15T00:00:00.000Z",
"ID": "CVE-2021-25320",
"STATE": "PUBLIC",
"TITLE": "Rancher: Cloud credentials can be used through proxy API by users without access"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Rancher",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "Rancher",
"version_value": "2.5.9"
}
]
}
},
{
"product_name": "Rancher",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "Rancher",
"version_value": "2.4.16"
}
]
}
}
]
},
"vendor_name": "Rancher"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A Improper Access Control vulnerability in Rancher, allows users in the cluster to make request to cloud providers by creating requests with the cloud-credential ID. Rancher in this case would attach the requested credentials without further checks This issue affects: Rancher versions prior to 2.5.9; Rancher versions prior to 2.4.16."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-284: Improper Access Control"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugzilla.suse.com/show_bug.cgi?id=1185514",
"refsource": "CONFIRM",
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1185514"
}
]
},
"source": {
"advisory": "https://bugzilla.suse.com/show_bug.cgi?id=1185514",
"defect": [
"1185514"
],
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
"assignerShortName": "suse",
"cveId": "CVE-2021-25320",
"datePublished": "2021-07-15T08:55:17.141Z",
"dateReserved": "2021-01-19T00:00:00.000Z",
"dateUpdated": "2024-09-16T20:21:51.810Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-25318 (GCVE-0-2021-25318)
Vulnerability from cvelistv5 – Published: 2021-07-15 08:55 – Updated: 2024-09-16 20:37
VLAI?
Title
rancher: API group not properly specified when creating Kubernetes RBAC resources
Summary
A Incorrect Permission Assignment for Critical Resource vulnerability in Rancher allows users in the cluster to modify resources they should not have access to. This issue affects: Rancher versions prior to 2.5.9 ; Rancher versions prior to 2.4.16.
Severity ?
8.8 (High)
CWE
- CWE-732 - Incorrect Permission Assignment for Critical Resource
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
Date Public ?
2021-07-15 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T20:03:05.196Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1184913"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Rancher",
"vendor": "Rancher",
"versions": [
{
"lessThan": "2.5.9",
"status": "affected",
"version": "Rancher",
"versionType": "custom"
}
]
},
{
"product": "Rancher",
"vendor": "Rancher",
"versions": [
{
"lessThan": "2.4.16",
"status": "affected",
"version": "Rancher",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-07-15T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A Incorrect Permission Assignment for Critical Resource vulnerability in Rancher allows users in the cluster to modify resources they should not have access to. This issue affects: Rancher versions prior to 2.5.9 ; Rancher versions prior to 2.4.16."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-732",
"description": "CWE-732: Incorrect Permission Assignment for Critical Resource",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-15T08:55:15.000Z",
"orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
"shortName": "suse"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1184913"
}
],
"source": {
"advisory": "https://bugzilla.suse.com/show_bug.cgi?id=1184913",
"defect": [
"1184913"
],
"discovery": "EXTERNAL"
},
"title": "rancher: API group not properly specified when creating Kubernetes RBAC resources",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@suse.com",
"DATE_PUBLIC": "2021-07-15T00:00:00.000Z",
"ID": "CVE-2021-25318",
"STATE": "PUBLIC",
"TITLE": "rancher: API group not properly specified when creating Kubernetes RBAC resources"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Rancher",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "Rancher",
"version_value": "2.5.9"
}
]
}
},
{
"product_name": "Rancher",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "Rancher",
"version_value": "2.4.16"
}
]
}
}
]
},
"vendor_name": "Rancher"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A Incorrect Permission Assignment for Critical Resource vulnerability in Rancher allows users in the cluster to modify resources they should not have access to. This issue affects: Rancher versions prior to 2.5.9 ; Rancher versions prior to 2.4.16."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-732: Incorrect Permission Assignment for Critical Resource"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugzilla.suse.com/show_bug.cgi?id=1184913",
"refsource": "CONFIRM",
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1184913"
}
]
},
"source": {
"advisory": "https://bugzilla.suse.com/show_bug.cgi?id=1184913",
"defect": [
"1184913"
],
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
"assignerShortName": "suse",
"cveId": "CVE-2021-25318",
"datePublished": "2021-07-15T08:55:15.569Z",
"dateReserved": "2021-01-19T00:00:00.000Z",
"dateUpdated": "2024-09-16T20:37:30.651Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}