CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2023-22648
https://notcve.org/view.php?id=CVE-2023-22648
A Improper Privilege Management vulnerability in SUSE Rancher causes permission changes in Azure AD not to be reflected to users while they are logged in the Rancher UI. This would cause the users to retain their previous permissions in Rancher, even if they change groups on Azure AD, for example, to a lower privileged group, or are removed from a group, thus retaining their access to Rancher instead of losing it. This issue affects Rancher: from >= 2.6.7 before < 2.6.13, from >= 2.7.0 before < 2.7.4. • https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-22648 https://github.com/rancher/rancher/security/advisories/GHSA-vf6j-6739-78m8 • CWE-269: Improper Privilege Management CWE-271: Privilege Dropping / Lowering Errors •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 0CVE-2023-22651
https://notcve.org/view.php?id=CVE-2023-22651
Improper Privilege Management vulnerability in SUSE Rancher allows Privilege Escalation. A failure in the update logic of Rancher's admission Webhook may lead to the misconfiguration of the Webhook. This component enforces validation rules and security checks before resources are admitted into the Kubernetes cluster. The issue only affects users that upgrade from 2.6.x or 2.7.x to 2.7.2. Users that did a fresh install of 2.7.2 (and did not follow an upgrade path) are not affected. • https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-22651 https://github.com/rancher/rancher/security/advisories/GHSA-6m9f-pj6w-w87g • CWE-269: Improper Privilege Management •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 1CVE-2022-43759 – Rancher: Privilege escalation via promoted roles
https://notcve.org/view.php?id=CVE-2022-43759
A Improper Privilege Management vulnerability in SUSE Rancher, allows users with access to the escalate verb on PRTBs to escalate permissions for any -promoted resource in any cluster. This issue affects: SUSE Rancher Rancher versions prior to 2.5.17; Rancher versions prior to 2.6.10. • https://bugzilla.suse.com/show_bug.cgi?id=1205293 • CWE-269: Improper Privilege Management •
CVSS: 9.9EPSS: 0%CPEs: 3EXPL: 1CVE-2022-43757 – Rancher: Exposure of sensitive fields
https://notcve.org/view.php?id=CVE-2022-43757
A Cleartext Storage of Sensitive Information vulnerability in SUSE Rancher allows users on managed clusters to gain access to credentials. The impact depends on the credentials exposed This issue affects: SUSE Rancher Rancher versions prior to 2.5.17; Rancher versions prior to 2.6.10; Rancher versions prior to 2.7.1. • https://bugzilla.suse.com/show_bug.cgi?id=1205295 • CWE-312: Cleartext Storage of Sensitive Information •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2022-43755 – Rancher: Non-random authentication token
https://notcve.org/view.php?id=CVE-2022-43755
A Insufficient Entropy vulnerability in SUSE Rancher allows attackers that gained knowledge of the cattle-token to continue abusing this even after the token was renewed. This issue affects: SUSE Rancher Rancher versions prior to 2.6.10; Rancher versions prior to 2.7.1. • https://bugzilla.suse.com/show_bug.cgi?id=1205297 • CWE-331: Insufficient Entropy •