Skip to content

x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-8vhc-hwhc-cpj4 #1825

New issue
New issue
Closed
Closed
x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-8vhc-hwhc-cpj4#1825
Assignees
tatianab
Labels
excluded: EFFECTIVELY_PRIVATEThis vulnerability exists in a package can be imported, but isn't meant to be outside that module.
@GoVulnBot

Description

@GoVulnBot
GoVulnBot
opened on Jun 6, 2023

In GitHub Security Advisory GHSA-8vhc-hwhc-cpj4, there is a vulnerability in the following Go packages or modules:

Unit Fixed Vulnerable Ranges
github.com/rancher/rancher 2.7.4 >= 2.7.0, < 2.7.4

Cross references:

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/rancher/rancher
      versions:
        - introduced: 2.7.0
          fixed: 2.7.4
      packages:
        - package: github.com/rancher/rancher
    - module: github.com/rancher/rancher
      versions:
        - introduced: 2.6.0
          fixed: 2.6.13
      packages:
        - package: github.com/rancher/rancher
summary: Rancher users retain access after moving namespaces into projects they don't have access to
description: "### Impact\nA vulnerability was identified in which users with update privileges on a namespace, can move that namespace into a project they don't have access to. After the namespace transfer is completed, their previous permissions are still preserved, which enables them to gain access to project-specific resources (such as [project secrets](https://ranchermanager.docs.rancher.com/how-to-guides/new-user-guides/kubernetes-resources-setup/secrets#creating-secrets-in-projects)). In addition, resources in the namespace will now count toward the [quota limit](https://ranchermanager.docs.rancher.com/how-to-guides/advanced-user-guides/manage-projects/manage-project-resource-quotas/about-project-resource-quotas) of the new project, potentially causing availability issues.\n\nUser with roles `Project Owner` and `Project Member` on the source project can exploit this vulnerability; however, this would also apply to custom roles with similar privileges. \n\nThe patched version include an improved RBAC mechanism, which checks if the user has the correct permissions before the namespace move takes place.\n\n### Patches\nPatched versions include releases `2.6.13`, `2.7.4` and later versions.\n\n### Workarounds\nThere is no direct mitigation besides updating Rancher to a patched version.\n\n### For more information\nIf you have any questions or comments about this advisory:\n\n- Reach out to the [SUSE Rancher Security team](https://github.com/rancher/rancher/security/policy) for security related inquiries.\n- Open an issue in the [Rancher](https://github.com/rancher/rancher/issues/new/choose) repository.\n- Verify with our [support matrix](https://www.suse.com/suse-rancher/support-matrix/all-supported-versions/) and [product support lifecycle](https://www.suse.com/lifecycle/)."
cves:
    - CVE-2020-10676
ghsas:
    - GHSA-8vhc-hwhc-cpj4
references:
    - advisory: https://github.com/rancher/rancher/security/advisories/GHSA-8vhc-hwhc-cpj4
    - web: https://github.com/rancher/rancher/releases/tag/v2.6.13
    - web: https://github.com/rancher/rancher/releases/tag/v2.7.4
    - advisory: https://github.com/advisories/GHSA-8vhc-hwhc-cpj4

Metadata

Metadata

Assignees

Labels

excluded: EFFECTIVELY_PRIVATEThis vulnerability exists in a package can be imported, but isn't meant to be outside that module.

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions