CVSS: 7.2EPSS: 0%CPEs: 2EXPL: 0CVE-2021-36784 – Privilege escalation for users with create/update permissions in Global Roles
https://notcve.org/view.php?id=CVE-2021-36784
02 May 2022 — A Improper Privilege Management vulnerability in SUSE Rancher allows users with the restricted-admin role to escalate to full admin. This issue affects: SUSE Rancher Rancher versions prior to 2.5.13; Rancher versions prior to 2.6.4. Una vulnerabilidad de Administración de Privilegios Inapropiada en SUSE Rancher permite a usuarios con el rol restricted-admin escalar a full admin. Este problema afecta a: SUSE Rancher versiones anteriores a 2.5.13; Rancher versiones anteriores a 2.6.4 • https://bugzilla.suse.com/show_bug.cgi?id=1193991 • CWE-269: Improper Privilege Management •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2021-36778 – Exposure of repository credentials to external third-party sources
https://notcve.org/view.php?id=CVE-2021-36778
02 May 2022 — A Incorrect Authorization vulnerability in SUSE Rancher allows administrators of third-party repositories to gather credentials that are sent to their servers. This issue affects: SUSE Rancher Rancher versions prior to 2.5.12; Rancher versions prior to 2.6.3. Una vulnerabilidad de autorización incorrecta en SUSE Rancher permite a los administradores de repositorios de terceros recopilar credenciales que se envían a sus servidores. Este problema afecta a: Las versiones de SUSE Rancher anteriores a la 2.5.12;... • https://bugzilla.suse.com/show_bug.cgi?id=1191466 • CWE-863: Incorrect Authorization •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-36776 – Steve API proxy impersonation
https://notcve.org/view.php?id=CVE-2021-36776
01 Apr 2022 — A Improper Access Control vulnerability in SUSE Rancher allows remote attackers impersonate arbitrary users. This issue affects: SUSE Rancher Rancher versions prior to 2.5.10. Una vulnerabilidad de Control de Acceso Inapropiado en SUSE Rancher permite a atacantes remotos suplantar a usuarios arbitrarios. Este problema afecta a: SUSE Rancher versiones anteriores a 2.5.10 • https://bugzilla.suse.com/show_bug.cgi?id=1189413 • CWE-284: Improper Access Control •
CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 0CVE-2021-36775 – Deleting PRTBs associated to a group doesn't cause deletion of corresponding RoleBindings
https://notcve.org/view.php?id=CVE-2021-36775
01 Apr 2022 — a Improper Access Control vulnerability in SUSE Rancher allows users to keep privileges that should have been revoked. This issue affects: SUSE Rancher Rancher versions prior to 2.4.18; Rancher versions prior to 2.5.12; Rancher versions prior to 2.6.3. Una vulnerabilidad de Control de Acceso Inapropiado en SUSE Rancher permite a usuarios mantener privilegios que deberían haber sido revocados. Este problema afecta a: SUSE Rancher versiones anteriores a 2.4.18; versiones de Rancher anteriores a 2.5.12; versio... • https://bugzilla.suse.com/show_bug.cgi?id=1189120 • CWE-284: Improper Access Control •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2021-31999 – Rancher: Privilege escalation vulnerability via malicious Connection header
https://notcve.org/view.php?id=CVE-2021-31999
15 Jul 2021 — A Reliance on Untrusted Inputs in a Security Decision vulnerability in Rancher allows users in the cluster to act as others users in the cluster by forging the "Impersonate-User" or "Impersonate-Group" headers. This issue affects: Rancher versions prior to 2.5.9. Rancher versions prior to 2.4.16. Una vulnerabilidad de Dependencia de Datos no Confiables en una Decisión de Seguridad en Rancher permite a usuarios del cluster actuar como otros usuarios del cluster al falsificar los encabezados "Impersonate-User... • https://bugzilla.suse.com/show_bug.cgi?id=1187084 • CWE-807: Reliance on Untrusted Inputs in a Security Decision •
CVSS: 9.9EPSS: 0%CPEs: 2EXPL: 0CVE-2021-25320 – Rancher: Cloud credentials can be used through proxy API by users without access
https://notcve.org/view.php?id=CVE-2021-25320
15 Jul 2021 — A Improper Access Control vulnerability in Rancher, allows users in the cluster to make request to cloud providers by creating requests with the cloud-credential ID. Rancher in this case would attach the requested credentials without further checks This issue affects: Rancher versions prior to 2.5.9; Rancher versions prior to 2.4.16. Una vulnerabilidad de Control de Acceso Inapropiado en Rancher, permite a usuarios del cluster hacer peticiones a los proveedores de la nube al crear peticiones con el ID de la... • https://bugzilla.suse.com/show_bug.cgi?id=1185514 • CWE-284: Improper Access Control •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2021-25318 – rancher: API group not properly specified when creating Kubernetes RBAC resources
https://notcve.org/view.php?id=CVE-2021-25318
15 Jul 2021 — A Incorrect Permission Assignment for Critical Resource vulnerability in Rancher allows users in the cluster to modify resources they should not have access to. This issue affects: Rancher versions prior to 2.5.9 ; Rancher versions prior to 2.4.16. Una vulnerabilidad de Asignación Incorrecta de Permisos para Recursos Críticos en Rancher permite a usuarios del clúster modificar recursos a los que no deberían tener acceso. Este problema afecta a: Rancher versiones anteriores a 2.5.9; Rancher versiones anterio... • https://bugzilla.suse.com/show_bug.cgi?id=1184913 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2021-25313 – Rancher: XSS on /v3/cluster/
https://notcve.org/view.php?id=CVE-2021-25313
05 Mar 2021 — A Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rancher allows remote attackers to execute JavaScript via malicious links. This issue affects: SUSE Rancher Rancher versions prior to 2.5.6. Una vulnerabilidad de Neutralización Inapropiada de la Entrada Durante la Generación de Páginas Web ("Cross-site Scripting") en Rancher, permite a atacantes remotos ejecutar JavaScript por medio de enlaces maliciosos. Este problema afecta a: SUSE Rancher Rancher... • https://bugzilla.suse.com/show_bug.cgi?id=1181852 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •