CVE-2022-21953 Authenticated user can gain unauthorized shell pod and kubectl access in the local cluster

2023-02-0700:00:00

CWE-862

suse

www.cve.org

cve-2022-21953

authenticated user

unauthorized access

suse rancher

shell pod

kubectl

missing authorization

7.4 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

8.6 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

32.1%

JSON

A Missing Authorization vulnerability in of SUSE Rancher allows authenticated user to create an unauthorized shell pod and kubectl access in the local cluster This issue affects: SUSE Rancher Rancher versions prior to 2.5.17; Rancher versions prior to 2.6.10; Rancher versions prior to 2.7.1.

CNA Affected

[
  {
    "vendor": "SUSE",
    "product": "Rancher",
    "versions": [
      {
        "version": "Rancher",
        "status": "affected",
        "lessThan": "2.5.17",
        "versionType": "custom",
        "changes": [
          {
            "at": "2.6.10",
            "status": "unaffected"
          },
          {
            "at": "2.7.1",
            "status": "unaffected"
          }
        ]
      }
    ]
  }
]