Execution with Unnecessary Privileges Affecting github.com/rancher/rancher/pkg/controllers/management/drivers/nodedriver package, versions >=2.7.0 <2.7.16-alpha5 >=2.8.0 <2.8.9-alpha10 >=2.9.0 <2.9.3-alpha5
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-GOLANG-GITHUBCOMRANCHERRANCHERPKGCONTROLLERSMANAGEMENTDRIVERSNODEDRIVER-8310219
- published 30 Oct 2024
- disclosed 25 Oct 2024
- credit Unknown
Introduced: 25 Oct 2024
New CVE-2024-22036 Open this link in a new tabHow to fix?
Upgrade github.com/rancher/rancher/pkg/controllers/management/drivers/nodedriver to version 2.7.16-alpha5, 2.8.9-alpha10, 2.9.3-alpha5 or higher.
Overview
github.com/rancher/rancher/pkg/controllers/management/drivers/nodedriver is a project that provides a container management platform built for organizations that deploy containers in production.
Affected versions of this package are vulnerable to Execution with Unnecessary Privileges due to not sufficiently isolating cluster and node drivers from the root-privileged containing service, in the NewPlugin() function for node drivers, and binaries being placed at an insecure location in the user's PATH. A privileged user can escape the chroot jail or gain privileges on the underlying system by registering a malicious driver. During registration, the binaries /usr/bin/rancher-machine, /usr/bin/helm_v3, and /usr/bin/kustomize are executed with the privileges of the parent process.