Improper Ownership Management in github.com/rancher/rancher/pkg/apis/management.cattle.io/v3 | CVE-2024-22031

Q: How to fix?

Upgrade github.com/rancher/rancher/pkg/apis/management.cattle.io/v3 to version 2.9.9-alpha1, 2.10.5-alpha3, 2.11.1-alpha2 or higher.

Introduced: 25 Apr 2025

NewCVE-2024-22031 (opens in a new tab) CWE-282 (opens in a new tab)

How to fix?

Upgrade github.com/rancher/rancher/pkg/apis/management.cattle.io/v3 to version 2.9.9-alpha1, 2.10.5-alpha3, 2.11.1-alpha2 or higher.

Overview

github.com/rancher/rancher/pkg/apis/management.cattle.io/v3 is a complete container management platform

Affected versions of this package are vulnerable to Improper Ownership Management for projects, whose namespace defaults to being the project name, regardless of cluster. A user with permission to create a project can escalate privileges to those of a user who owns a project by the same name in a different cluster by creating a project with the same name, thereby gaining access to the other project's resources.

References

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
Present
Privileges Required (PR)
Low
User Interaction (UI)
None

Confidentiality (VC)
High
Integrity (VI)
High
Availability (VA)
High

Confidentiality (SC)
High
Integrity (SI)
High
Availability (SA)
High

Improper Ownership Management Affecting github.com/rancher/rancher/pkg/apis/management.cattle.io/v3 package, versions >=2.8.0-alpha1 <2.9.9-alpha1>=2.10.0-alpha1 <2.10.5-alpha3>=2.11.0-alpha1 <2.11.1-alpha2

Severity

Do your applications use this vulnerable package?

Introduced: 25 Apr 2025

How to fix?

Overview

References

CVSS Base Scores

Snyk