CVSS: 8.6EPSS: 0%CPEs: 3EXPL: 0CVE-2023-32194 – Rancher permissions on 'namespaces' in any API group grants 'edit' permissions on namespaces in 'core'
https://notcve.org/view.php?id=CVE-2023-32194
A vulnerability has been identified when granting a create or * global role for a resource type of "namespaces"; no matter the API group, the subject will receive * permissions for core namespaces. This can lead to someone being capable of accessing, creating, updating, or deleting a namespace in the project. Se ha identificado una vulnerabilidad al otorgar un rol de creación o * global para un tipo de recurso de "espacios de nombres"; sin importar el grupo de API, el sujeto recibirá * permisos para espacios de nombres principales. Esto puede llevar a que alguien pueda acceder, crear, actualizar o eliminar un espacio de nombres en el proyecto. • https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-32194 https://github.com/rancher/rancher/security/advisories/GHSA-c85r-fwc7-45vc • CWE-269: Improper Privilege Management •
CVSS: 8.4EPSS: 0%CPEs: 3EXPL: 0CVE-2023-22649 – Rancher 'Audit Log' leaks sensitive information
https://notcve.org/view.php?id=CVE-2023-22649
A vulnerability has been identified which may lead to sensitive data being leaked into Rancher's audit logs. [Rancher Audit Logging](https://ranchermanager.docs.rancher.com/how-to-guides/advanced-user-guides/enable-api-audit-log) is an opt-in feature, only deployments that have it enabled and have [AUDIT_LEVEL](https://ranchermanager.docs.rancher.com/how-to-guides/advanced-user-guides/enable-api-audit-log#audit-log-levels) set to `1 or above` are impacted by this issue. Se ha identificado una vulnerabilidad que puede provocar la filtración de datos confidenciales en los registros de auditoría de Rancher. [Rancher Audit Logging](https://ranchermanager.docs.rancher.com/how-to-guides/advanced-user-guides/enable-api-audit-log) es una función opcional. Solo las implementaciones que la tienen habilitada y tienen [AUDIT_LEVEL](https://ranchermanager.docs.rancher.com/how-to-guides/advanced-user-guides/enable-api-audit-log#audit-log-levels) configurado en "1 o superior" se ven afectadas por este problema. • https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-22649 https://github.com/rancher/rancher/security/advisories/GHSA-xfj7-qf8w-2gcr • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2020-10676
https://notcve.org/view.php?id=CVE-2020-10676
In Rancher 2.x before 2.6.13 and 2.7.x before 2.7.4, an incorrectly applied authorization check allows users who have certain access to a namespace to move that namespace to a different project. En Rancher 2.x anterior a 2.6.13 y 2.7.x anterior a 2.7.4, una verificación de autorización aplicada incorrectamente permite a los usuarios que tienen cierto acceso a un espacio de nombres mover ese espacio de nombres a un proyecto diferente. • https://forums.rancher.com/c/announcements https://github.com/advisories/GHSA-8vhc-hwhc-cpj4 https://github.com/rancher/rancher/releases/tag/v2.6.13 https://github.com/rancher/rancher/releases/tag/v2.7.4 • CWE-863: Incorrect Authorization •
CVSS: 8.4EPSS: 0%CPEs: 2EXPL: 0CVE-2022-43760
https://notcve.org/view.php?id=CVE-2022-43760
An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SUSE Rancher allows users in some higher-privileged groups to to inject code that is executed within another user's browser, allowing the attacker to steal sensitive information, manipulate web content, or perform other malicious activities on behalf of the victims. This could result in a user with write access to the affected areas being able to act on behalf of an administrator, once an administrator opens the affected web page. This issue affects Rancher: from >= 2.6.0 before < 2.6.13, from >= 2.7.0 before < 2.7.4. • https://bugzilla.suse.com/show_bug.cgi?id=CVE-2022-43760 https://github.com/rancher/rancher/security/advisories/GHSA-46v3-ggjg-qq3x • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.9EPSS: 0%CPEs: 2EXPL: 0CVE-2023-22647
https://notcve.org/view.php?id=CVE-2023-22647
An Improper Privilege Management vulnerability in SUSE Rancher allowed standard users to leverage their existing permissions to manipulate Kubernetes secrets in the local cluster, resulting in the secret being deleted, but their read-level permissions to the secret being preserved. When this operation was followed-up by other specially crafted commands, it could result in the user gaining access to tokens belonging to service accounts in the local cluster. This issue affects Rancher: from >= 2.6.0 before < 2.6.13, from >= 2.7.0 before < 2.7.4. • https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-22647 https://github.com/rancher/rancher/security/advisories/GHSA-p976-h52c-26p6 • CWE-267: Privilege Defined With Unsafe Actions CWE-269: Improper Privilege Management •