x/vulndb: potential Go vuln in github.com/rancher/rancher: CVE-2022-31247 #975
Description
CVE-2022-31247 references github.com/rancher/rancher, which may be a Go module.
Description:
An Improper Authorization vulnerability in SUSE Rancher, allows any user who has permissions to create/edit cluster role template bindings or project role template bindings (such as cluster-owner, manage cluster members, project-owner and manage project members) to gain owner permission in another project in the same cluster or in another project on a different downstream cluster.
This issue affects:
SUSE Rancher
Rancher versions prior to 2.6.7;
Rancher versions prior to 2.5.16.
References:
- NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-31247
- JSON: https://github.com/CVEProject/cvelist/tree/6a9bf4ed6f20fd1b925c11db4c42684ec0d8ca2b/2022/31xxx/CVE-2022-31247.json
- web: https://bugzilla.suse.com/show_bug.cgi?id=1199730
- web: GHSA-6x34-89p7-95wg
- Imported by: https://pkg.go.dev/github.com/rancher/rancher?tab=importedby
See doc/triage.md for instructions on how to triage this report.
modules:
- module: github.com/rancher/rancher
packages:
- package: Rancher
description: |
An Improper Authorization vulnerability in SUSE Rancher, allows any user who has permissions to create/edit cluster role template bindings or project role template bindings (such as cluster-owner, manage cluster members, project-owner and manage project members) to gain owner permission in another project in the same cluster or in another project on a different downstream cluster.
This issue affects:
SUSE Rancher
Rancher versions prior to 2.6.7;
Rancher versions prior to 2.5.16.
cves:
- CVE-2022-31247
references:
- web: https://bugzilla.suse.com/show_bug.cgi?id=1199730
- web: https://github.com/rancher/rancher/security/advisories/GHSA-6x34-89p7-95wg