Rancher Vulnerability: Unauthorized Access via Deleted Users

CVE-2023-22650

8.8HIGH

Key Information

Vendor: Suse
Status: Rancher
Vendor: CVE Published:; 16 October 2024

Summary

A vulnerability has been identified in which Rancher does not automatically clean up a user which has been deleted from the configured authentication provider (AP). This characteristic also applies to disabled or revoked users, Rancher will not reflect these modifications which may leave the user’s tokens still usable.

Affected Version(s)

rancher < 2.7.14

rancher < 2.8.5

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published.
Oct 16, 2024
Vulnerability Reserved.
Jan 5, 2023

Collectors

NVD DatabaseMitre Database