CVSS: 9.9EPSS: 0%CPEs: 2EXPL: 0CVE-2023-22647
https://notcve.org/view.php?id=CVE-2023-22647
An Improper Privilege Management vulnerability in SUSE Rancher allowed standard users to leverage their existing permissions to manipulate Kubernetes secrets in the local cluster, resulting in the secret being deleted, but their read-level permissions to the secret being preserved. When this operation was followed-up by other specially crafted commands, it could result in the user gaining access to tokens belonging to service accounts in the local cluster. This issue affects Rancher: from >= 2.6.0 before < 2.6.13, from >= 2.7.0 before < 2.7.4. • https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-22647 https://github.com/rancher/rancher/security/advisories/GHSA-p976-h52c-26p6 • CWE-267: Privilege Defined With Unsafe Actions CWE-269: Improper Privilege Management •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2023-22648
https://notcve.org/view.php?id=CVE-2023-22648
A Improper Privilege Management vulnerability in SUSE Rancher causes permission changes in Azure AD not to be reflected to users while they are logged in the Rancher UI. This would cause the users to retain their previous permissions in Rancher, even if they change groups on Azure AD, for example, to a lower privileged group, or are removed from a group, thus retaining their access to Rancher instead of losing it. This issue affects Rancher: from >= 2.6.7 before < 2.6.13, from >= 2.7.0 before < 2.7.4. • https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-22648 https://github.com/rancher/rancher/security/advisories/GHSA-vf6j-6739-78m8 • CWE-269: Improper Privilege Management CWE-271: Privilege Dropping / Lowering Errors •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 0CVE-2023-22651
https://notcve.org/view.php?id=CVE-2023-22651
Improper Privilege Management vulnerability in SUSE Rancher allows Privilege Escalation. A failure in the update logic of Rancher's admission Webhook may lead to the misconfiguration of the Webhook. This component enforces validation rules and security checks before resources are admitted into the Kubernetes cluster. The issue only affects users that upgrade from 2.6.x or 2.7.x to 2.7.2. Users that did a fresh install of 2.7.2 (and did not follow an upgrade path) are not affected. • https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-22651 https://github.com/rancher/rancher/security/advisories/GHSA-6m9f-pj6w-w87g • CWE-269: Improper Privilege Management •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 1CVE-2022-43759 – Rancher: Privilege escalation via promoted roles
https://notcve.org/view.php?id=CVE-2022-43759
A Improper Privilege Management vulnerability in SUSE Rancher, allows users with access to the escalate verb on PRTBs to escalate permissions for any -promoted resource in any cluster. This issue affects: SUSE Rancher Rancher versions prior to 2.5.17; Rancher versions prior to 2.6.10. • https://bugzilla.suse.com/show_bug.cgi?id=1205293 • CWE-269: Improper Privilege Management •
CVSS: 9.9EPSS: 0%CPEs: 3EXPL: 1CVE-2022-43757 – Rancher: Exposure of sensitive fields
https://notcve.org/view.php?id=CVE-2022-43757
A Cleartext Storage of Sensitive Information vulnerability in SUSE Rancher allows users on managed clusters to gain access to credentials. The impact depends on the credentials exposed This issue affects: SUSE Rancher Rancher versions prior to 2.5.17; Rancher versions prior to 2.6.10; Rancher versions prior to 2.7.1. • https://bugzilla.suse.com/show_bug.cgi?id=1205295 • CWE-312: Cleartext Storage of Sensitive Information •