CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2020-10676
https://notcve.org/view.php?id=CVE-2020-10676
In Rancher 2.x before 2.6.13 and 2.7.x before 2.7.4, an incorrectly applied authorization check allows users who have certain access to a namespace to move that namespace to a different project. En Rancher 2.x anterior a 2.6.13 y 2.7.x anterior a 2.7.4, una verificación de autorización aplicada incorrectamente permite a los usuarios que tienen cierto acceso a un espacio de nombres mover ese espacio de nombres a un proyecto diferente. • https://forums.rancher.com/c/announcements https://github.com/advisories/GHSA-8vhc-hwhc-cpj4 https://github.com/rancher/rancher/releases/tag/v2.6.13 https://github.com/rancher/rancher/releases/tag/v2.7.4 • CWE-863: Incorrect Authorization •
CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 0CVE-2023-32186
https://notcve.org/view.php?id=CVE-2023-32186
A Allocation of Resources Without Limits or Throttling vulnerability in SUSE RKE2 allows attackers with access to K3s servers apiserver/supervisor port (TCP 6443) cause denial of service. This issue affects RKE2: from 1.24.0 before 1.24.17+rke2r1, from v1.25.0 before v1.25.13+rke2r1, from v1.26.0 before v1.26.8+rke2r1, from v1.27.0 before v1.27.5+rke2r1, from v1.28.0 before v1.28.1+rke2r1. Una vulnerabilidad de Asignación de Recursos sin Límites o Throttling en SUSE RKE2 permite a los atacantes con acceso al puerto apiserver/supervisor de servidores K3s (TCP 6443) causar denegación de servicio. Este problema afecta a RKE2: desde la versión 1.24.0 antes de 1.24.17+rke2r1, desde la versión v1.25.0 antes de v1.25.13+rke2r1, desde la versión v1.26.0 antes de v1.26.8+rke2r1, desde la versión v1.27.0 antes de v1.27.5+rke2r1, desde la versión v1.28.0 antes de v1.28.1+rke2r1. • https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-32186 https://github.com/rancher/rke2/security/advisories/GHSA-p45j-vfv5-wprq • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 8.4EPSS: 0%CPEs: 2EXPL: 0CVE-2022-43760
https://notcve.org/view.php?id=CVE-2022-43760
An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SUSE Rancher allows users in some higher-privileged groups to to inject code that is executed within another user's browser, allowing the attacker to steal sensitive information, manipulate web content, or perform other malicious activities on behalf of the victims. This could result in a user with write access to the affected areas being able to act on behalf of an administrator, once an administrator opens the affected web page. This issue affects Rancher: from >= 2.6.0 before < 2.6.13, from >= 2.7.0 before < 2.7.4. • https://bugzilla.suse.com/show_bug.cgi?id=CVE-2022-43760 https://github.com/rancher/rancher/security/advisories/GHSA-46v3-ggjg-qq3x • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.9EPSS: 0%CPEs: 2EXPL: 0CVE-2023-22647
https://notcve.org/view.php?id=CVE-2023-22647
An Improper Privilege Management vulnerability in SUSE Rancher allowed standard users to leverage their existing permissions to manipulate Kubernetes secrets in the local cluster, resulting in the secret being deleted, but their read-level permissions to the secret being preserved. When this operation was followed-up by other specially crafted commands, it could result in the user gaining access to tokens belonging to service accounts in the local cluster. This issue affects Rancher: from >= 2.6.0 before < 2.6.13, from >= 2.7.0 before < 2.7.4. • https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-22647 https://github.com/rancher/rancher/security/advisories/GHSA-p976-h52c-26p6 • CWE-269: Improper Privilege Management •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2023-22648
https://notcve.org/view.php?id=CVE-2023-22648
A Improper Privilege Management vulnerability in SUSE Rancher causes permission changes in Azure AD not to be reflected to users while they are logged in the Rancher UI. This would cause the users to retain their previous permissions in Rancher, even if they change groups on Azure AD, for example, to a lower privileged group, or are removed from a group, thus retaining their access to Rancher instead of losing it. This issue affects Rancher: from >= 2.6.7 before < 2.6.13, from >= 2.7.0 before < 2.7.4. • https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-22648 https://github.com/rancher/rancher/security/advisories/GHSA-vf6j-6739-78m8 • CWE-269: Improper Privilege Management •