Improper Preservation of Permissions Affecting github.com/rancher/rancher package, versions >=2.6.0 <2.6.13 >=2.7.0 <2.7.4
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-GOLANG-GITHUBCOMRANCHERRANCHER-5664727
- published 2 Jun 2023
- disclosed 2 Jun 2023
- credit Unknown
Introduced: 2 Jun 2023
CVE-2023-22647 Open this link in a new tabHow to fix?
Upgrade github.com/rancher/rancher to version 2.6.13, 2.7.4 or higher.
Overview
Affected versions of this package are vulnerable to Improper Preservation of Permissions allowing standard users to leverage their existing permissions to manipulate Kubernetes secrets in the local cluster, resulting in the secret being deleted, but their read-level permissions to the secret being preserved.
Note:
When this operation is followed-up by other specially crafted commands, it can result in the user gaining access to tokens belonging to service accounts in the local cluster.
IoC
Users with audit logs enabled in Rancher can try to identify possible abuses of this issue by going through the logs. To sieve through the data users can filter by kind: Secret with type: provisioning.cattle.io/cloud-credential, and then investigate all log entries that affect that specific resource. A secondary check would be to filter by all operations with Opaque Secrets within the cattle-global-data namespace.
After patching, it is recommended that users review access methods to Rancher (including RBAC policies, tokens, and host-level node access), to ensure that no changes were made to persist access to users who have leveraged this vulnerability.