CVE-2023-22651
https://notcve.org/view.php?id=CVE-2023-22651
Improper Privilege Management vulnerability in SUSE Rancher allows Privilege Escalation. A failure in the update logic of Rancher's admission Webhook may lead to the misconfiguration of the Webhook. This component enforces validation rules and security checks before resources are admitted into the Kubernetes cluster. The issue only affects users that upgrade from 2.6.x or 2.7.x to 2.7.2. Users that did a fresh install of 2.7.2 (and did not follow an upgrade path) are not affected. • https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-22651 https://github.com/rancher/rancher/security/advisories/GHSA-6m9f-pj6w-w87g • CWE-269: Improper Privilege Management •
CVE-2022-43759 – Rancher: Privilege escalation via promoted roles
https://notcve.org/view.php?id=CVE-2022-43759
A Improper Privilege Management vulnerability in SUSE Rancher, allows users with access to the escalate verb on PRTBs to escalate permissions for any -promoted resource in any cluster. This issue affects: SUSE Rancher Rancher versions prior to 2.5.17; Rancher versions prior to 2.6.10. • https://bugzilla.suse.com/show_bug.cgi?id=1205293 • CWE-269: Improper Privilege Management •
CVE-2022-43757 – Rancher: Exposure of sensitive fields
https://notcve.org/view.php?id=CVE-2022-43757
A Cleartext Storage of Sensitive Information vulnerability in SUSE Rancher allows users on managed clusters to gain access to credentials. The impact depends on the credentials exposed This issue affects: SUSE Rancher Rancher versions prior to 2.5.17; Rancher versions prior to 2.6.10; Rancher versions prior to 2.7.1. • https://bugzilla.suse.com/show_bug.cgi?id=1205295 • CWE-312: Cleartext Storage of Sensitive Information •
CVE-2022-43755 – Rancher: Non-random authentication token
https://notcve.org/view.php?id=CVE-2022-43755
A Insufficient Entropy vulnerability in SUSE Rancher allows attackers that gained knowledge of the cattle-token to continue abusing this even after the token was renewed. This issue affects: SUSE Rancher Rancher versions prior to 2.6.10; Rancher versions prior to 2.7.1. • https://bugzilla.suse.com/show_bug.cgi?id=1205297 • CWE-331: Insufficient Entropy •
CVE-2022-21953 – Authenticated user can gain unauthorized shell pod and kubectl access in the local cluster
https://notcve.org/view.php?id=CVE-2022-21953
A Missing Authorization vulnerability in of SUSE Rancher allows authenticated user to create an unauthorized shell pod and kubectl access in the local cluster This issue affects: SUSE Rancher Rancher versions prior to 2.5.17; Rancher versions prior to 2.6.10; Rancher versions prior to 2.7.1. • https://bugzilla.suse.com/show_bug.cgi?id=1199731 • CWE-862: Missing Authorization •