x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-7h8m-pvw3-5gh4 #3220
Description
Advisory GHSA-7h8m-pvw3-5gh4 references a vulnerability in the following Go modules:
| Module |
|---|
| github.com/rancher/rancher |
Description:
Impact
A vulnerability has been identified whereby Rancher Manager deployments containing Windows nodes have weak Access Control Lists (ACL), allowing BUILTIN\Users or NT AUTHORITY\Authenticated Users to view or edit sensitive files which could lead to privilege escalation.
The affected files include binaries, scripts, configuration and log files:
C:\etc\rancher\wins\config
C:\var\lib\rancher\agent\rancher2_connection_info.json
C:\etc\rancher\rke2\config.yaml.d\50-rancher.yaml
C:\var\lib\rancher\agent\applied\*-*-applied.plan
C:\usr\local\bin\rke2
C:\var\lib\rancher\capr\idempot...
References:
- ADVISORY: https://github.com/advisories/GHSA-7h8m-pvw3-5gh4
- ADVISORY: https://github.com/rancher/rancher/security/advisories/GHSA-7h8m-pvw3-5gh4
Cross references:
- github.com/rancher/rancher appears in 38 other report(s):
- data/excluded/GO-2022-0439.yaml (https://github.com/golang/vulndb/issues/439) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-0464.yaml (https://github.com/golang/vulndb/issues/464) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-0551.yaml (https://github.com/golang/vulndb/issues/551) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-0605.yaml (https://github.com/golang/vulndb/issues/605) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-0610.yaml (https://github.com/golang/vulndb/issues/610) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-0973.yaml (https://github.com/golang/vulndb/issues/973) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-0974.yaml (https://github.com/golang/vulndb/issues/974) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-0975.yaml (https://github.com/golang/vulndb/issues/975) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1511.yaml (https://github.com/golang/vulndb/issues/1511) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1513.yaml (https://github.com/golang/vulndb/issues/1513) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1514.yaml (https://github.com/golang/vulndb/issues/1514) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1516.yaml (https://github.com/golang/vulndb/issues/1516) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1517.yaml (https://github.com/golang/vulndb/issues/1517) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1518.yaml (https://github.com/golang/vulndb/issues/1518) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1736.yaml (https://github.com/golang/vulndb/issues/1736) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1814.yaml (https://github.com/golang/vulndb/issues/1814) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1815.yaml (https://github.com/golang/vulndb/issues/1815) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1816.yaml (https://github.com/golang/vulndb/issues/1816) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1825.yaml (https://github.com/golang/vulndb/issues/1825) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1905.yaml (https://github.com/golang/vulndb/issues/1905) EFFECTIVELY_PRIVATE
- data/reports/GO-2022-0644.yaml (https://github.com/golang/vulndb/issues/644)
- data/reports/GO-2022-0755.yaml (https://github.com/golang/vulndb/issues/755)
- data/reports/GO-2023-1973.yaml (https://github.com/golang/vulndb/issues/1973)
- data/reports/GO-2023-1991.yaml (https://github.com/golang/vulndb/issues/1991)
- data/reports/GO-2024-2535.yaml (https://github.com/golang/vulndb/issues/2535)
- data/reports/GO-2024-2537.yaml (https://github.com/golang/vulndb/issues/2537)
- data/reports/GO-2024-2760.yaml (https://github.com/golang/vulndb/issues/2760)
- data/reports/GO-2024-2761.yaml (https://github.com/golang/vulndb/issues/2761)
- data/reports/GO-2024-2762.yaml (https://github.com/golang/vulndb/issues/2762)
- data/reports/GO-2024-2764.yaml (https://github.com/golang/vulndb/issues/2764)
- data/reports/GO-2024-2768.yaml (https://github.com/golang/vulndb/issues/2768)
- data/reports/GO-2024-2771.yaml (https://github.com/golang/vulndb/issues/2771)
- data/reports/GO-2024-2778.yaml (https://github.com/golang/vulndb/issues/2778)
- data/reports/GO-2024-2784.yaml (https://github.com/golang/vulndb/issues/2784)
- data/reports/GO-2024-2929.yaml (https://github.com/golang/vulndb/issues/2929)
- data/reports/GO-2024-2931.yaml (https://github.com/golang/vulndb/issues/2931)
- data/reports/GO-2024-2932.yaml (https://github.com/golang/vulndb/issues/2932)
- data/reports/GO-2024-3161.yaml (https://github.com/golang/vulndb/issues/3161)
See [doc/quickstart.md](https://github.com/golang/vulndb/blob/master/doc/quickstart.md) for instructions on how to triage this report.
id: GO-ID-PENDING
modules:
- module: github.com/rancher/rancher
non_go_versions:
- introduced: 2.7.0
- fixed: 2.8.9
- introduced: 2.9.0
- fixed: 2.9.3
vulnerable_at: 1.6.30
summary: |-
Rancher allows privilege escalation in Windows nodes due to Insecure Access
Control Lists in github.com/rancher/rancher
cves:
- CVE-2023-32197
ghsas:
- GHSA-7h8m-pvw3-5gh4
references:
- advisory: GHSA-7h8m-pvw3-5gh4
- advisory: GHSA-7h8m-pvw3-5gh4
source:
id: GHSA-7h8m-pvw3-5gh4
created: 2024-10-25T20:01:48.826343638Z
review_status: UNREVIEWED