CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2023-32196 – Rancher's External RoleTemplates can lead to privilege escalation
https://notcve.org/view.php?id=CVE-2023-32196
16 Oct 2024 — A vulnerability has been identified whereby privilege escalation checks are not properly enforced for RoleTemplateobjects when external=true, which in specific scenarios can lead to privilege escalation. Se ha identificado una vulnerabilidad por la cual las comprobaciones de escalada de privilegios no se aplican correctamente para los objetos RoleTemplate cuando external=true, lo que en escenarios específicos puede provocar una escalada de privilegios. • https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-32196 • CWE-269: Improper Privilege Management •
CVSS: 8.6EPSS: 0%CPEs: 3EXPL: 0CVE-2023-32194 – Rancher permissions on 'namespaces' in any API group grants 'edit' permissions on namespaces in 'core'
https://notcve.org/view.php?id=CVE-2023-32194
16 Oct 2024 — A vulnerability has been identified when granting a create or * global role for a resource type of "namespaces"; no matter the API group, the subject will receive * permissions for core namespaces. This can lead to someone being capable of accessing, creating, updating, or deleting a namespace in the project. Se ha identificado una vulnerabilidad al otorgar un rol de creación o * global para un tipo de recurso de "espacios de nombres"; sin importar el grupo de API, el sujeto recibirá * permisos para espacio... • https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-32194 • CWE-269: Improper Privilege Management •
CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 0CVE-2023-22650 – Rancher does not automatically clean up a user deleted or disabled from the configured Authentication Provider
https://notcve.org/view.php?id=CVE-2023-22650
16 Oct 2024 — A vulnerability has been identified in which Rancher does not automatically clean up a user which has been deleted from the configured authentication provider (AP). This characteristic also applies to disabled or revoked users, Rancher will not reflect these modifications which may leave the user’s tokens still usable. Se ha identificado una vulnerabilidad en la que Rancher no limpia automáticamente a un usuario que ha sido eliminado del proveedor de autenticación (AP) configurado. Esta característica tambi... • https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-22650 • CWE-287: Improper Authentication CWE-306: Missing Authentication for Critical Function •
CVSS: 8.4EPSS: 29%CPEs: 3EXPL: 0CVE-2023-22649 – Rancher 'Audit Log' leaks sensitive information
https://notcve.org/view.php?id=CVE-2023-22649
16 Oct 2024 — A vulnerability has been identified which may lead to sensitive data being leaked into Rancher's audit logs. [Rancher Audit Logging](https://ranchermanager.docs.rancher.com/how-to-guides/advanced-user-guides/enable-api-audit-log) is an opt-in feature, only deployments that have it enabled and have [AUDIT_LEVEL](https://ranchermanager.docs.rancher.com/how-to-guides/advanced-user-guides/enable-api-audit-log#audit-log-levels) set to `1 or above` are impacted by this issue. Se ha identificado una vulnerabilidad... • https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-22649 • CWE-532: Insertion of Sensitive Information into Log File •