Insufficient Session Expiration Affecting github.com/rancher/rancher/pkg/auth/providers/common package, versions >=2.7.0 <2.7.14 >=2.8.0 <2.8.5


Severity

Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    EPSS
    0.04% (11th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-GOLANG-GITHUBCOMRANCHERRANCHERPKGAUTHPROVIDERSCOMMON-7268007
  • published 19 Jun 2024
  • disclosed 17 Jun 2024
  • credit Unknown

How to fix?

Upgrade github.com/rancher/rancher/pkg/auth/providers/common to version 2.7.14, 2.8.5 or higher.

Overview

github.com/rancher/rancher/pkg/auth/providers/common is a complete container management platform

Affected versions of this package are vulnerable to Insufficient Session Expiration for deleted or disabled user accounts on the configured authentication provider (AP). An attacker in possession of formerly-active user credentials can gain access using the user tokens of the accounts associated with those users.

Workaround

Administrators that are unable to update to a patched Rancher Manager version, are advised to delete Rancher users, via kubectl or through the UI, as soon as those users are deleted from the Authentication Provider. If a user needs to be temporarily disabled on the Authentication Provider, similar intervention will need to take place to reflect that change on Rancher Manager.

Below is a procedure to list and remove a deleted/disabled user in Rancher using kubectl (with a privileged kubeconfig).

  1. List all users bound to a supported external auth provider, then returns username, uid, displayName and PrincipalIds which contains the related authprovider_user://ID
#!/bin/bash

for authprovider in {activedirectory,azure,common,genericoidc,github googleauth, keycloakoidc,ldap,oidc,publicapi,saml} do kubectl get users -o json | jq --arg authprovider "$authprovider" '.items[] | select(.principalIds[] | test("^" + $authprovider + "_user://")) | {username: .metadata.name, uid: .metadata.uid, displayName: .displayName, principalIds: .principalIds}' done

  1. Once the authprovider_user://ID (and/or DisplayName) is confirmed, remove the user from the Rancher UI or using kubectl delete users <USERNAME>.

CVSS Scores

version 4.0
version 3.1
Expand this section

Snyk

Recommended
8.6 high
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    Low
  • Attack Requirements (AT)
    None
  • Privileges Required (PR)
    Low
  • User Interaction (UI)
    None
  • Confidentiality (VC)
    High
  • Integrity (VI)
    High
  • Availability (VA)
    None
  • Confidentiality (SC)
    None
  • Integrity (SI)
    None
  • Availability (SA)
    None