The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsLearn about Insufficient Session Expiration vulnerabilities in an interactive lesson.
Start learningUpgrade github.com/rancher/rancher/pkg/auth/tokens
to version 2.7.14, 2.8.5 or higher.
github.com/rancher/rancher/pkg/auth/tokens is a complete container management platform
Affected versions of this package are vulnerable to Insufficient Session Expiration for deleted or disabled user accounts on the configured authentication provider (AP). An attacker in possession of formerly-active user credentials can gain access using the user tokens of the accounts associated with those users.
Administrators that are unable to update to a patched Rancher Manager version, are advised to delete Rancher users, via kubectl or through the UI, as soon as those users are deleted from the Authentication Provider. If a user needs to be temporarily disabled on the Authentication Provider, similar intervention will need to take place to reflect that change on Rancher Manager.
Below is a procedure to list and remove a deleted/disabled user in Rancher using kubectl
(with a privileged kubeconfig).
username
, uid
, displayName
and PrincipalIds
which contains the related authprovider_user://ID
#!/bin/bash
for authprovider in {activedirectory,azure,common,genericoidc,github googleauth, keycloakoidc,ldap,oidc,publicapi,saml} do kubectl get users -o json | jq --arg authprovider "$authprovider" '.items[] | select(.principalIds[] | test("^" + $authprovider + "_user://")) | {username: .metadata.name, uid: .metadata.uid, displayName: .displayName, principalIds: .principalIds}' done
authprovider_user://ID
(and/or DisplayName
) is confirmed, remove the user from the Rancher UI or using kubectl delete users <USERNAME>
.