Rancher: Downstream cluster privilege escalation through cluster and project role template binding (CRTB/PRTB)
CVE-2022-31247

9.1CRITICAL

Key Information:

Vendor: Suse
Status: Rancher
Vendor: CVE Published:; 7 September 2022

What is CVE-2022-31247?

An Improper Authorization vulnerability in SUSE Rancher, allows any user who has permissions to create/edit cluster role template bindings or project role template bindings (such as cluster-owner, manage cluster members, project-owner and manage project members) to gain owner permission in another project in the same cluster or in another project on a different downstream cluster. This issue affects: SUSE Rancher Rancher versions prior to 2.6.7; Rancher versions prior to 2.5.16.

Affected Version(s)

Rancher Rancher < 2.6.7

Rancher Rancher < 2.5.16

References

https://bugzilla.suse.com/show_bug.cgi?id=1199730

x_refsource_CONFIRM

https://github.com/rancher/rancher/security/advisories/GH...

x_refsource_CONFIRM

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 7, 2022
Vulnerability Reserved
May 20, 2022

Suse

What is CVE-2022-31247?

Affected Version(s)

References

CVSS V3.1

Timeline