CVE-2023-22651

2023-05-0408:15:22

CWE-269

[email protected]

web.nvd.nist.gov

cve-2023-22651

suse rancher

privilege escalation

vulnerability

update logic

admission webhook

misconfiguration

kubernetes cluster

nvd

9.9 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

9.4 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

38.4%

JSON

Improper Privilege Management vulnerability in SUSE Rancher allows Privilege Escalation. A failure in the update logic of Rancher’s admission Webhook may lead to
the misconfiguration of the Webhook. This component enforces validation
rules and security checks before resources are admitted into the
Kubernetes cluster.
The issue only affects users that upgrade from 2.6.x or 2.7.x to 2.7.2. Users that did a fresh install of 2.7.2 (and did not follow an upgrade path) are not affected.

Affected configurations

NVD

Node

suserancherRange2.6.0–2.7.2

CPENameOperatorVersion
suse:ranchersuse rancherle2.7.2

CPE	Name	Operator	Version
suse:rancher	suse rancher	le	2.7.2

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Rancher",
    "vendor": "SUSE",
    "versions": [
      {
        "lessThanOrEqual": "2.7.2",
        "status": "affected",
        "version": "2.6.0",
        "versionType": "2.7.2"
      },
      {
        "status": "unaffected",
        "version": "2.7.3"
      }
    ]
  }
]