Insufficient Session Expiration Affecting github.com/rancher/rancher/pkg/client package, versions >=2.7.0 <2.7.14 >=2.8.0 <2.8.5
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-GOLANG-GITHUBCOMRANCHERRANCHERPKGCLIENT-7268009
- published 19 Jun 2024
- disclosed 17 Jun 2024
- credit Unknown
Introduced: 17 Jun 2024
CVE-2023-22650 Open this link in a new tabHow to fix?
Upgrade github.com/rancher/rancher/pkg/client
to version 2.7.14, 2.8.5 or higher.
Overview
github.com/rancher/rancher/pkg/client is a complete container management platform
Affected versions of this package are vulnerable to Insufficient Session Expiration for deleted or disabled user accounts on the configured authentication provider (AP). An attacker in possession of formerly-active user credentials can gain access using the user tokens of the accounts associated with those users.
Workaround
Administrators that are unable to update to a patched Rancher Manager version, are advised to delete Rancher users, via kubectl or through the UI, as soon as those users are deleted from the Authentication Provider. If a user needs to be temporarily disabled on the Authentication Provider, similar intervention will need to take place to reflect that change on Rancher Manager.
Below is a procedure to list and remove a deleted/disabled user in Rancher using kubectl
(with a privileged kubeconfig).
- List all users bound to a supported external auth provider, then returns
username
,uid
,displayName
andPrincipalIds
which contains the relatedauthprovider_user://ID
#!/bin/bash
for authprovider in {activedirectory,azure,common,genericoidc,github googleauth, keycloakoidc,ldap,oidc,publicapi,saml}
do
kubectl get users -o json | jq --arg authprovider "$authprovider" '.items[] | select(.principalIds[] | test("^" + $authprovider + "_user://")) | {username: .metadata.name, uid: .metadata.uid, displayName: .displayName, principalIds: .principalIds}'
done
- Once the
authprovider_user://ID
(and/orDisplayName
) is confirmed, remove the user from the Rancher UI or usingkubectl delete users <USERNAME>
.