Описание
Rancher does not properly specify ApiGroup when creating Kubernetes RBAC resources
A vulnerability was discovered in Rancher versions 2.0 through the aforementioned fixed versions, where users were granted access to resources regardless of the resource's API group. For example Rancher should have allowed users access to apps.catalog.cattle.io, but instead incorrectly gave access to apps.*. Resource affected include:
Downstream clusters: apiservices clusters clusterrepos persistentvolumes storageclasses
Rancher management cluster apprevisions apps catalogtemplates catalogtemplateversions clusteralertgroups clusteralertrules clustercatalogs clusterloggings clustermonitorgraphs clusterregistrationtokens clusterroletemplatebindings clusterscans etcdbackups nodepools nodes notifiers pipelineexecutions pipelines pipelinesettings podsecuritypolicytemplateprojectbindings projectalertgroups projectalertrules projectcatalogs projectloggings projectmonitorgraphs projectroletemplatebindings projects secrets sourcecodeproviderconfigs
There is not a direct mitigation besides upgrading to the patched Rancher versions.
Пакеты
github.com/rancher/rancher
>= 2.0.0, < 2.4.16
2.4.16
github.com/rancher/rancher
>= 2.5.0, < 2.5.9
2.5.9
Связанные уязвимости
A Incorrect Permission Assignment for Critical Resource vulnerability in Rancher allows users in the cluster to modify resources they should not have access to. This issue affects: Rancher versions prior to 2.5.9 ; Rancher versions prior to 2.4.16.
Уязвимость программного обеспечения управления кластерами Kubernets Rancher, связанная с ошибками назначения разрешений, позволяющая нарушителю изменять ресурсы в кластере