Rancher Vulnerability: Unauthorized Access via Deleted Users
CVE-2023-22650

8.8HIGH

Key Information:

Vendor: Suse
Status: Rancher
Vendor: CVE Published:; 16 October 2024

Summary

A user management vulnerability has been discovered in Rancher, where the platform fails to automatically revoke access for users who have been deleted or disabled in the configured authentication provider. This oversight means that tokens associated with these users remain active, potentially allowing unauthorized access to resources. As a result, organizations using Rancher are at risk of lingering access through obsolete user credentials, which may not be addressed by the usual user management processes.

Affected Version(s)

rancher 2.7.0 < 2.7.14

rancher 2.8.0 < 2.8.5

References

https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-22650

https://github.com/rancher/rancher/security/advisories/GH...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Oct 16, 2024
Vulnerability Reserved
Jan 5, 2023