CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2023-22648
https://notcve.org/view.php?id=CVE-2023-22648
A Improper Privilege Management vulnerability in SUSE Rancher causes permission changes in Azure AD not to be reflected to users while they are logged in the Rancher UI. This would cause the users to retain their previous permissions in Rancher, even if they change groups on Azure AD, for example, to a lower privileged group, or are removed from a group, thus retaining their access to Rancher instead of losing it. This issue affects Rancher: from >= 2.6.7 before < 2.6.13, from >= 2.7.0 before < 2.7.4. • https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-22648 https://github.com/rancher/rancher/security/advisories/GHSA-vf6j-6739-78m8 • CWE-269: Improper Privilege Management CWE-271: Privilege Dropping / Lowering Errors •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 0CVE-2023-22651
https://notcve.org/view.php?id=CVE-2023-22651
Improper Privilege Management vulnerability in SUSE Rancher allows Privilege Escalation. A failure in the update logic of Rancher's admission Webhook may lead to the misconfiguration of the Webhook. This component enforces validation rules and security checks before resources are admitted into the Kubernetes cluster. The issue only affects users that upgrade from 2.6.x or 2.7.x to 2.7.2. Users that did a fresh install of 2.7.2 (and did not follow an upgrade path) are not affected. • https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-22651 https://github.com/rancher/rancher/security/advisories/GHSA-6m9f-pj6w-w87g • CWE-269: Improper Privilege Management •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2022-43755 – Rancher: Non-random authentication token
https://notcve.org/view.php?id=CVE-2022-43755
A Insufficient Entropy vulnerability in SUSE Rancher allows attackers that gained knowledge of the cattle-token to continue abusing this even after the token was renewed. This issue affects: SUSE Rancher Rancher versions prior to 2.6.10; Rancher versions prior to 2.7.1. • https://bugzilla.suse.com/show_bug.cgi?id=1205297 • CWE-331: Insufficient Entropy •
CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 0CVE-2022-21953 – Authenticated user can gain unauthorized shell pod and kubectl access in the local cluster
https://notcve.org/view.php?id=CVE-2022-21953
A Missing Authorization vulnerability in of SUSE Rancher allows authenticated user to create an unauthorized shell pod and kubectl access in the local cluster This issue affects: SUSE Rancher Rancher versions prior to 2.5.17; Rancher versions prior to 2.6.10; Rancher versions prior to 2.7.1. • https://bugzilla.suse.com/show_bug.cgi?id=1199731 • CWE-862: Missing Authorization •
CVSS: 7.6EPSS: 0%CPEs: 3EXPL: 0CVE-2022-43758 – Rancher: Command injection in Git package
https://notcve.org/view.php?id=CVE-2022-43758
A Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in SUSE Rancher allows code execution for user with the ability to add an untrusted Helm catalog or modifying the URL configuration used to download KDM (only admin users by default) This issue affects: SUSE Rancher Rancher versions prior to 2.5.17; Rancher versions prior to 2.6.10; Rancher versions prior to 2.7.1. • https://bugzilla.suse.com/show_bug.cgi?id=1205294 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •