Veracode Vulnerability DatabaseVERACODE:40877Privilege Escalation
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0.001 Low
EPSS
Percentile
23.7%
github.com/rancher/rancher is vulnerable to Privilege Escalation. Users who have update access to a namespace can move it into a project they don’t have access to, giving them access to resources that are only available for that project, allowing access to project-specific resources (such as project secrets). However, resources in the namespace will now be included in the quota limit for the new project, which may cause denial of service conditions.
References
forums.rancher.com/c/announcements
github.com/advisories/GHSA-8vhc-hwhc-cpj4
github.com/rancher/rancher/commit/040b95ce389496ca0546c4f3f7fa44a4e2810974
github.com/rancher/rancher/commit/ff5911091a7dd496be475aa6edbc46bc1e7020a2
github.com/rancher/rancher/pull/41690
github.com/rancher/rancher/pull/41691
github.com/rancher/rancher/releases/tag/v2.6.13
github.com/rancher/rancher/releases/tag/v2.7.4
Related
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0.001 Low
EPSS
Percentile
23.7%