x/vulndb: potential Go vuln in github.com/rancher/rancher: CVE-2023-22648

[GoVulnBot]

CVE-2023-22648 references github.com/rancher/rancher, which may be a Go module.

Description:
A Improper Privilege Management vulnerability in SUSE Rancher causes permission changes in Azure AD not to be reflected to users
while they are logged in the Rancher UI. This would cause the users to
retain their previous permissions in Rancher, even if they change groups
on Azure AD, for example, to a lower privileged group, or are removed
from a group, thus retaining their access to Rancher instead of losing
it.
This issue affects Rancher: from >= 2.6.7 before < 2.6.13, from >= 2.7.0 before < 2.7.4.

References:

• NIST: https://nvd.nist.gov/vuln/detail/CVE-2023-22648
• JSON: https://github.com/CVEProject/cvelist/tree/f1edaa0582cbf9f5275c95c5dd0b98f15728f2bf/2023/22xxx/CVE-2023-22648.json
• advisory: GHSA-vf6j-6739-78m8
• web: https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-22648
• Imported by: https://pkg.go.dev/github.com/rancher/rancher?tab=importedby

Cross references:

• Module github.com/rancher/rancher appears in issue x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-wm2r-rp98-8pmh #439 EFFECTIVELY_PRIVATE
• Module github.com/rancher/rancher appears in issue x/vulndb: potential Go vuln in github.com/rancher/rancher: CVE-2022-21951 #464 EFFECTIVELY_PRIVATE
• Module github.com/rancher/rancher appears in issue x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-4fc7-hc63-7fjg #551 EFFECTIVELY_PRIVATE
• Module github.com/rancher/rancher appears in issue x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-hx8w-ghh8-r4xf #605 EFFECTIVELY_PRIVATE
• Module github.com/rancher/rancher appears in issue x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-jwvr-vv7p-gpwq, CVE-2021-36784 #610 EFFECTIVELY_PRIVATE
• Module github.com/rancher/rancher appears in issue x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-9qq2-xhmc-h9qr #644 EFFECTIVELY_PRIVATE
• Module github.com/rancher/rancher appears in issue x/vulndb: potential Go vuln in github.com/rancher/rancher: CVE-2021-36782 #973 EFFECTIVELY_PRIVATE
• Module github.com/rancher/rancher appears in issue x/vulndb: potential Go vuln in github.com/rancher/rancher: CVE-2021-36783 #974 EFFECTIVELY_PRIVATE
• Module github.com/rancher/rancher appears in issue x/vulndb: potential Go vuln in github.com/rancher/rancher: CVE-2022-31247 #975 EFFECTIVELY_PRIVATE
• Module github.com/rancher/rancher appears in issue x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-34p5-jp77-fcrc #1511 EFFECTIVELY_PRIVATE
• Module github.com/rancher/rancher appears in issue x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-7m72-mh5r-6j3r #1513 EFFECTIVELY_PRIVATE
• Module github.com/rancher/rancher appears in issue x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-8c69-r38j-rpfj #1514 EFFECTIVELY_PRIVATE
• Module github.com/rancher/rancher appears in issue x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-c45c-39f6-6gw9 #1516 EFFECTIVELY_PRIVATE
• Module github.com/rancher/rancher appears in issue x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-cq4p-vp5q-4522 #1517 EFFECTIVELY_PRIVATE
• Module github.com/rancher/rancher appears in issue x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-g25r-gvq3-wrq7 #1518 EFFECTIVELY_PRIVATE
• Module github.com/rancher/rancher appears in issue x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-6m9f-pj6w-w87g #1736 EFFECTIVELY_PRIVATE
• Module github.com/rancher/rancher appears in issue x/vulndb: potential Go vuln in github.com/rancher/rancher/server: GHSA-xhg2-rvm8-w2jh #755

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/rancher/rancher
      packages:
        - package: Rancher
description: "A Improper Privilege Management vulnerability in SUSE Rancher causes permission changes in Azure AD not to be reflected to users \nwhile they are logged in the Rancher UI. This would cause the users to \nretain their previous permissions in Rancher, even if they change groups\n on Azure AD, for example, to a lower privileged group, or are removed \nfrom a group, thus retaining their access to Rancher instead of losing \nit.\nThis issue affects Rancher: from >= 2.6.7 before < 2.6.13, from >= 2.7.0 before < 2.7.4.\n\n\n"
cves:
    - CVE-2023-22648
references:
    - advisory: https://github.com/rancher/rancher/security/advisories/GHSA-vf6j-6739-78m8
    - web: https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-22648

[gopherbot]

Change https://go.dev/cl/500496 mentions this issue: data/excluded: batch add 9 excluded reports