github.com/rancher/rancher/pkg/apis/management.cattle.io/v3 is a complete container management platform

Affected versions of this package are vulnerable to Incorrect Privilege Assignment when enforcing the privileges of a the RoleTemplate object with external set to true. For such objects, when the ClusterRole is set to project or is empty, an attacker can escalate privileges.

The package maintainers have provided a script for users to identify and correct RoleTemplates with a missing externalRules field and no backing ClusterRole.

#!/bin/bash
set -euo pipefail

get all RoleTemplates with .context == "project" or .context == "" that don't have externalRules.
rts=$(kubectl get roletemplates -o json | jq -r  '.items[] | select((.context == "project" or .context == "") and .external == true and .externalRules == null) | .metadata.name')
found_invalid_rt=false
for rt in $rts; do
  if ! kubectl get clusterrole "$rt" > /dev/null 2>&1; then
     echo "$rt" # prints RoleTemplate names that don't have a backing ClusterRole
     found_invalid_rt=true
  fi
done
if ! $found_invalid_rt ; then
    echo 'This cluster is not affected by CVE-2023-32197: no RoleTemplate objects found'
fi

• GitHub Commit
• GitHub Commit